Output from an API Gateway Lambda authorizer
A Lambda authorizer function's output is a dictionary-like object, which must include the principal identifier
(principalId) and a policy document (policyDocument) containing a list of policy
statements. The output can also include a context map containing key-value pairs. If the API uses a
usage plan (the apiKeySource is set
to AUTHORIZER), the Lambda authorizer function must return one of the usage plan's API keys as the
usageIdentifierKey property value.
The following shows an example of this output.
{ "principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client. "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": "Allow|Deny", "Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]" } ] }, "context": { "stringKey": "value", "numberKey": "1", "booleanKey": "true" }, "usageIdentifierKey": "{api-key}" }
Here, a policy statement specifies whether to allow or deny (Effect) the API Gateway execution service
to invoke (Action) the specified API method (Resource). You can use a wild card
(*) to specify a resource type (method). For information about setting valid policies for calling
an API, see Statement reference of IAM
policies for executing API in API Gateway.
For an authorization-enabled method ARN, e.g.,
arn:aws:execute-api:,
the maximum length is 1600 bytes. The path parameter values, the size of which are determined at run time, can
cause the ARN length to exceed the limit. When this happens, the API client will receive a {regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]414 Request URI
too long response.
In addition, the Resource ARN, as shown in the policy statement output by the authorizer, is currently limited to 512 characters long. For this reason, you must not use URI with a JWT token of a significant length in a request URI. You can safely pass the JWT token in a request header, instead.
You can access the principalId value in a mapping template using the
$context.authorizer.principalId variable. This is useful if you want to pass the value to the
backend. For more information, see $context Variables for data
models, authorizers, mapping templates, and CloudWatch access logging.
You can access the stringKey, numberKey, or booleanKey value (for
example, "value", "1", or "true") of the context map in a
mapping template by calling $context.authorizer.stringKey,
$context.authorizer.numberKey, or $context.authorizer.booleanKey, respectively. The
returned values are all stringified. Notice that you cannot set a JSON object or array as a valid value of any key
in the context map.
You can use the context map to return cached credentials from the authorizer to the backend,
using an integration request mapping template. This enables the backend to provide an improved user experience by
using the cached credentials to reduce the need to access the secret keys and open the authorization tokens for
every request.
For the Lambda proxy integration, API Gateway passes the context object from a Lambda authorizer
directly to the backend Lambda function as part of the input event. You can retrieve the
context key-value pairs in the Lambda function by calling
$event.requestContext.authorizer..
key
{api-key} stands for an API key in the API stage's usage plan. For more information, see Usage plans and API keys for REST APIs in API Gateway.
The following shows example output from the example Lambda authorizer. The example output contains a policy
statement to block (Deny) calls to the GET method for the dev stage of an
API (ymy8tbxw7b) of an AWS account (123456789012).
{ "principalId": "user", "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/dev/GET/" } ] } }
