Secure your API Gateway with Lambda Authorizer | Step by Step AWS Tutorial

Подписаться 222 тыс.

Просмотров 150 тыс.

50% 1

Using AWS API Gateway and Lambda based authorizers, we can secure our API Gateway REST endpoint. Learn how to do it in this step by step tutorial.
Looking to get hands on experience building on AWS with a REAL project? Check out my course - The AWS Learning Accelerator! courses.beabetterdev.com/cour...
Interested in Authentication using Cognito instead? Check out • Secure your API Gatewa...
04:46 Creating an API Gateway Endpoint
07:04 Creating an AWS Lambda Function
09:10 Connecting API Gateway to Lambda
11:55 Creating a Lambda Authorizer for API Gateway
21:05 Testing our Authorizer
21:36 Connecting our Authorizer to our API Gateway Endpoint
🎉SUPPORT BE A BETTER DEV🎉
Become a Patron: / beabetterdev
📚 MY RECOMMENDED READING LIST FOR SOFTWARE DEVELOPERS📚
Clean Code - amzn.to/37T7xdP
Clean Architecture - amzn.to/3sCEGCe
Head First Design Patterns - amzn.to/37WXAMy
Domain Driver Design - amzn.to/3aWSW2W
Code Complete - amzn.to/3ksQDrB
The Pragmatic Programmer - amzn.to/3uH4kaQ
Algorithms - amzn.to/3syvyP5
Working Effectively with Legacy Code - amzn.to/3kvMza7
Refactoring - amzn.to/3r6FQ8U
🎙 MY RECORDING EQUIPMENT 🎙
Shure SM58 Microphone - amzn.to/3r5Hrf9
Behringer UM2 Audio Interface - amzn.to/2MuEllM
XLR Cable - amzn.to/3uGyZFx
Acoustic Sound Absorbing Foam Panels - amzn.to/3ktIrY6
Desk Microphone Mount - amzn.to/3qXMVIO
Logitech C920s Webcam - amzn.to/303zGu9
Fujilm XS10 Camera - amzn.to/3uGa30E
Fujifilm XF 35mm F2 Lens - amzn.to/3rentPe
Neewer 2 Piece Studio Lights - amzn.to/3uyoa8p
💻 MY DESKTOP EQUIPMENT 💻
Dell 34 inch Ultrawide Monitor - amzn.to/2NJwph6
Autonomous ErgoChair 2 - bit.ly/2YzomEm
Autonomous SmartDesk 2 Standing Desk - bit.ly/2YzomEm
MX Master 3 Productivity Mouse - amzn.to/3aYwKVZ
Das Keyboard Prime 13 MX Brown Mechanical- amzn.to/3uH6VBF
Veikk A15 Drawing Tablet - amzn.to/3uBRWsN
🌎 Find me here:
Twitter - / beabetterdevv
Instagram - / beabetterdevv
Patreon - Donations help fund additional content - / beabetterdev
Code: gist.github.com/beabetterdevv...
#APIGateway
#Lambda
#AWS

Опубликовано:

24 янв 2021

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 174

@chaitanyagupta4741 9 месяцев назад

What an amazing video. Clear and very well organized explanation . It worked like a charm for me. Thank you for your work!

@Ricno2008 3 года назад

Greetings from São Paulo/Brazil my friend, congratulations for your incredible work.

@BeABetterDev 3 года назад

Thank you! Cheers!

@vighneshpp 3 года назад

Awesome video. To the point and crystal clear. Thank you for making this video. Definitely going to recommend this channel to my peers!

@BeABetterDev 3 года назад

Thanks Vighnesh for the kind words and super glad you enjoyed!

@GameChameleonChannel 2 года назад

@@BeABetterDev hey boss, I follow your steps step by step, when I test the authorizer I get a "AuthorizerFailureException" error any clues why this would be?

@skularatna8136 7 месяцев назад

@@BeABetterDev my devs are using a lambda function authoriser using auth0 for an api gateway but ever so often when a client tries to access an endpoint to do a PUT or POST method for example the token has already expired. Any ideas ?

@ADV-IT 3 месяца назад

Thanks, very clear explanation!

@souadsadki1906 3 года назад

Can't wait to see another interessting video, great content as always. Keep the good work !

@BeABetterDev 3 года назад

Thank you very much!

@rueliotube 2 года назад

Awesome! I appreciate this clear and easy demo.

@BeABetterDev 2 года назад

You're very welcome!

@markmishyn Год назад

I'm so grateful! Without this crucial information about delay on 22:08 I was unable to attach my authorizer to a method.

@NomadVlogs 2 года назад

Awesome video. To the point and crystal clear. Thank you for making this video.

@BeABetterDev 2 года назад

You're very welcome!

@monzermasri4490 3 года назад

what a clear explanation, great job

@BeABetterDev 3 года назад

Thanks Mohamed! Glad you enjoyed and thanks for the support!

@ibraheemalsaady3216 Год назад

Great video, it helped me understand the flow. Thanks a lot

@tomascostantino5532 18 дней назад

Legend, I had my handler make requests to the auth service and not working, this is so handy. Thanks

@vinodkotha9879 2 года назад

Your tutorials are great and helpful.

@BeABetterDev 2 года назад

Thanks so much Vinod!

@Disproportionableness 8 месяцев назад

The is exactly the foundation I needed to get started with gateway auth. Thank you thank you thank you thank you thank you.

@sudhirtataraju9853 3 года назад

Excellent Demo! Thankyou soo much sir

@BeABetterDev 3 года назад

You're very welcome sudhir!

@MyLifeWithKai Год назад

This was really easy to follow! Thank you!

@BeABetterDev Год назад

You're very welcome Neha!

@ChronologieIV 2 года назад

Really clear and helpful. Thanks.

@BeABetterDev 2 года назад

You're very welcome!

@baidya87 2 года назад

Thank you!! Very well explained.

@BeABetterDev 2 года назад

Glad it was helpful!

@SteelTrapSoftware 2 года назад

Very useful, thank you!

@vijayyadav1002 Год назад

Very helpful video. I had it done through cloudformation template and it worked. Keep up the good work.

@BeABetterDev Год назад

Glad it helped Vijay!

@christopher5731 3 года назад

Excellent video! Keep up the good work.

@BeABetterDev 3 года назад

Thank you very much!

@ErikaGiselleGutierrez Год назад

Great tutorial!!!! Thank you

@gingacode Год назад

Thank you. Awesome video.

@tolulopeibiyode3104 2 года назад

Your work is appreciated.

@BeABetterDev 2 года назад

Thank you!

@VishalRaoOnYouTube 3 года назад

Oh YEAH! Gonna watch this tonight! Thanks man!

@BeABetterDev 3 года назад

Hope you like it!

@VishalRaoOnYouTube 3 года назад

@@BeABetterDev It was awesome. Thanks again! I also appreciate linking to the source code Gist.

@brenoa.santos4493 3 года назад

Great video! Thanks

@BeABetterDev 3 года назад

You're very welcome Breno!

@VishalRaoOnYouTube 3 года назад

2:37 I think they make you return a relatively complex policy document (as a opposed to a simple "Allow"/"Deny") so that you can Allow/Deny for an array of resource ARNs.

@BeABetterDev 3 года назад

Hi Vishal I think you're right, doing it this way gives a lot of flexibility to developers to produce some interesting experiences. Thanks for watching!

@ChronologieIV 2 года назад

You're right Vishal. In that way one could allow/deny an entire "tree" of related endpoints based on a role, for instance.

@vijayvavilapalli1002 2 года назад

We expect more videos from you.. like this thankyou

@coderite6311 2 года назад

Oh My this video is a life saver Thanks so much for this

@BeABetterDev 2 года назад

You're very welcome!

@kanishksoni4579 Год назад

beautifully explained

@HimanshuKumar-xz5tk 3 года назад

This is some good work. Thanks.

@BeABetterDev 3 года назад

Thanks Himanshu! Glad you enjoyed.

@MohammedNoureldin 3 года назад

Very good video! Thanks a lot!

@BeABetterDev 3 года назад

Thanks Mohammed! Glad you enjoyed.

@satya4866 3 года назад

Awesome dude. Thank you

@BeABetterDev 3 года назад

You're very welcome satya!

@kunalsaha9526 2 года назад

Appreciate your knowledge !

@BeABetterDev 2 года назад

Glad you enjoyed Kunal!

@wholeofmine 2 года назад

Super Explanation !!

@BeABetterDev 2 года назад

Thanks Prasad!

@Harry-jj6qw 3 года назад

great stuff, thank you!

@BeABetterDev 3 года назад

My pleasure!

@krishind99 3 года назад

This is fantastic. Would love to see, how and where authorization token is generated. Do you have a video on that?

@BeABetterDev 3 года назад

Hi Krishnan, I have another video coming out soon on securing your API using Cognito which uses user tokens. Stay tuned!

@DanielLpz1 8 месяцев назад

Nice video, help me a lot !!

@Hackenbaker 2 года назад

Awesome!!! TRhanks a lot.

@thamizhi6819 3 года назад

Crystal Clear Bro

@BeABetterDev 3 года назад

Thank you Thamizhi!

@pedrobb7 3 года назад

Super helpful, thanks.

@BeABetterDev 3 года назад

You're very welcome Pedro!

@Venturebits Год назад

Thank you, Amazing Video

@BeABetterDev Год назад

You’re very welcome!

@pradeepmca 3 года назад

Were exactly is policy document configured? How is the policy response format is validated? Based on Policy response from authorize, how does API gateway interpret to have the intelligence to allow or deny a request? These clarity on these to get full understanding of nicely explained video.

@dftwitch 2 года назад

wow thanks!, you saved me hours of time.

@BeABetterDev 2 года назад

Glad I could help.

@vijayvavilapalli1002 2 года назад

Thankyou this is really helpful to me...

@BeABetterDev 2 года назад

Youre very welcome Vijay!

@vsingh-26 Год назад

Great, to the point video, exactly what I wanted. Thank you. Does anyone know if a request header can be updated in the custom authorizer before the sending the request to the service fronted by the API gateway?

@j2s.768 Год назад

This is very helpful.

@BeABetterDev Год назад

Thank you!

@alexandremunhoes3421 3 года назад

Great video!!!!

@BeABetterDev 3 года назад

Thanks Alexandre!

@buildingtechies Год назад

You are a day saver.

@tamiltoken 2 года назад

Perfect explanation special thanks from Tamil Crypto

@BeABetterDev 2 года назад

You're very welcome!

@MS-ew2ru Год назад

thanks for the great tutorial, really helpful! one thing I still can't get, how can we pass actual tokens to this lambda authorizer (as in instead of"abc123" in this example)?

@mdasifkhan6520 11 месяцев назад

thanks man

@steveb7600 2 года назад

It seems to serve the same purpose as creating an API key but has more developed options.

@ClicksoftheWild Год назад

Thank you

@alxx736 2 года назад

Hi ! Always great . I still dont understand how you authenticate the user ,how the user got the autherization token.

@chaitanya7903 3 года назад

thank you

@tuannguyenanh838 2 года назад

thank you!

@BeABetterDev 2 года назад

You're very welcome!

@rsbl 3 года назад

Thanks for this! Exactly what I am looking to implement next! What's the program you're using for the architecture diagram??

@BeABetterDev 3 года назад

Hi Rosbel! You're very welcome. The software I am using is called www.draw.io !

@huscachafe Год назад

Great 🎉

@martinmillar1536 2 года назад

I do this authorization in my lambda functions. I read the API key from body/header, check it's OK, and if it is I run the rest of the code. Is there any reason why I shouldn't be doing this? Any cost or anything else reasons? The only thing I can think of is that you have a single 'authorization function', but I don't know if I'm missing anything else. Thank you. And great videos BTW. Helped me a lot getting a project using Lambda and Dynamo up and running properly.

@abdoualgerian5396 3 года назад

Hi man , hope you're doing well , your youtube channel is teaching gold and i need to spend a lot of time in here but i dunno where to start knowing that i'm new to aws , could you or anyone of your fans help me please ? i appreciate your help

@amilasilva7 2 года назад

Keep this up brohhh

@BeABetterDev 2 года назад

Will do! Thanks Amila.

@isaacmartinezsanchez2963 3 года назад

Thanks

@BeABetterDev 3 года назад

You're very welcome Isaac!

@kowshikjayakumar8405 3 года назад

How can we contruct authResponse , Is there ant predefined json there we can use ?

@anuradharamesh3377 3 года назад

Thank you this is incredible. Quick question, how does the end user of the API provide the authorizationToken? After I deploy the API and I need to share it with my end users, what step is needed for them to invoke this API and enter the token? Can you please clarify? Thank you!

@BeABetterDev 3 года назад

Hi Anuradha, Great question. So this method (using a Lambda authorizer) assumes you are using you are validating your users login and password through a separate API and generating a token that is stored in a database somewhere. When calling the API in this video, the token would be provided as an input and validated by the Lambda authorizer by inspecting the token to ensure it is in the database. This is just one way of doing it but hopefully it gives you an idea of how it could be done. If you are looking for an easier way to manage user credentials and tokens, check out my other video where I did the same thing with API gateway, but used a Amazon Cognito user pool authorizer. Link here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-oFSU6rhFETk.html Hope this helps, Daniel

@anuradharamesh3377 3 года назад

@@BeABetterDev Thank you Daniel

@CarlosMito 2 года назад

Awesome! Thanks I have doubt, can i return a different response if is it Unauthorized ? A custom object ? And I have troubles to get that message "Unauthorized" from Angular, always return status 0, from postman all Ok

@guybraunstain4639 2 года назад

Nice, is it possible to use AWS_IAM authorizer with the lambda authorizer too?

@mendonrohan 6 месяцев назад

good video

@BeABetterDev 6 месяцев назад

Thanks!

@nitinjanagam 3 года назад

Could you please do a video on using a Cognito Authorizer for securing API Gateway?

@BeABetterDev 3 года назад

Hi Nitsy, this is coming soon. Thanks for the suggestion!

@touhidulislam5286 Год назад

Is putting account ID into the policyDocument good practice? Is there any other way to do that?

@jasonpanugaling 3 года назад

can you do a nodejs version for this please?

@damiengeranton7375 2 года назад

Hello, Thanks for your videos that are very clear. I am new in AWS but it seems that the console has changed and I do not see the same thinks that you present. Your version seems much better. Do you think how I could use the same console version as yours ? For example in my version I do not find any test capability. I do not have resource menu ...

@damiengeranton7375 2 года назад

I answer my own question;-) It could help someone else. I finally found the reason, I created an HTTP API and not a REST API. It leads to have a different UI.

@BeABetterDev 2 года назад

Hi Damien. You beat me to it. It looks like the AWS team is slowly migrating users to HTTP APIs, but the concepts demonstrated in this video should remain the same. Daniel

@darianarguello1991 2 года назад

Hi, thanks for the video! Configure exactly the same as mentioned but with the difference that my API is not in a lambda. I redirect http traffic to my server. When I post to my API I get the following error: "Message": "User is not authorized to access this resource" Do you know what that could be? Thanks!

@soumyabratamukherjee3613 Год назад

I have created the rest API as per your suggestion. But the only difference is that is a private API as I cannot create a regional API. This is creating issue while trying to call authorizer lambda as it is mandatory to give resource policy to the API. Could you please suggest how to do the authorization for a private rest API?

@shafeevkd 4 месяца назад

Thanks for the video. I have a doubt about what the difference is if I'm writing the logic to authorize the Api in connect Lambda itself instead of a custom lambda authorizer.

@prakashKumar-zj8nw 4 месяца назад

Suppose you have 100 different lambdas . Then you will have to write the same code 100 times . Using this you just need to attach this lambda to every lambda .

@santhoshkumar2297 2 года назад

Hi , Make video using azure ad group for api auth restrictions using lambda authorizer.

@madhumsr2814 3 года назад

Hi how can we find policy document which was in authResponse?

@manthanrathod1046 6 месяцев назад

Can we use this Authorizer (lambda function that authorises the token) for multiple lambda functions (lambda function that returns the actual response)?

@mikeyinger4204 2 года назад

Thanks for a helpful tutorial. Why name the GET lambda function DemoHandler? Doesn't this function return 'customer' data? Why not name it CustomerHandler?

@josepoktopus8924 Год назад

For cors problem: 1. Api gw, enable cors 2. allow headers

@rohangarad6514 3 года назад

hello , i don't know much about it, can u please how can resolve 403 Forbidden error showing in my postman response. or do i need to change any other setting ?

@mjerez6029 Год назад

what is the advantage of this vs handling the authorization in the original lambda handler with your business logic?

@BeABetterDev Год назад

Doing it in your Lambda function means you're mixing your function's implementation with authorization concerns. Ideally we want to separate our concerns and use the SRP (single reponsibility principle).

@axelleuenberger2792 3 года назад

I dont get, the test within AWS is working, but the test with postman is always wrong. I dont have the "explicit deny", everytime the "User is not authorized to access this resource" Anyone with the same issue?

3 года назад

I set the ARN like this and worked , note the last backslash: arn:aws:execute-api:us-west-2:YYYYYYYYYY:XXXXXXXX/test/GET/customers/

@chaitanyareddy7597 3 года назад

@ yes thanks ! "Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]" as per doc.

@yogeshdubey2031 Год назад

Hey i have doubt we are having two functions one for authorization and another for the actual request cant we end making use of one function only in which first we'll perform authorization and then perform the rest of the task.

@ykuldeep Год назад

Can we configure customerId and authToken both to AuthLambda?

@8989superduper Год назад

Have a question. Is it safe to use payload info in my access token from my backend lambda handler without decoding the token with public key as far as its been verified in lambda authorizer??

@JustThink2000 3 месяца назад

Could I use this same methodology if my authorized resource is a Python flask api? Basically, I want to use this method to authorize access to my Python api

@vishaldindalkop2952 2 года назад

How can I attach the custom response to the authorizer? On Deny i wanna response with custom message.

@AhumadaMauricio 2 года назад

Quick question. If we are using two lambdas (one for authentication and another one for the actual request), doesn't that mean that we may need to cold start both functions? That will increase dramatically the latency between request and response. In my experience a C# lambda function cold start may add at to 7 seconds in comparison with a warm start.

@onomatopeia891 2 года назад

You may want to check caching in Lambda Authorizer

@everythinggoes850 2 года назад

Yes it does latency. Which is why I recommend writing the authorizer function with Rust.

@shivamprakash8167 3 года назад

Wow

@praxtheslayer 3 года назад

Hi, a very good video on this! I have a question though, what is principalID and why is it set to the same value as the passed auth value? Also, I see that it is hard-coded. So, if I have a bunch of people, each with a different token value, what do I have to do in this case? Thanks, cheers!

@VedsarKushwaha 2 года назад

That's a good question. This video also doesn't talk about API Gateway input parameters. Can we get inputs coming to API gateway to the lambda authorizer in POST method? (I know it can be done using query string but query string is not safe because request appends to URL in that case.)

@TheDhanuroutu 3 года назад

Can we do with Cognito Authorizer and access to some particular API gateway resource?

@BeABetterDev 3 года назад

Hi Dhanu, Yes! You should check out Cognito Identity Pools which accomplish exactly this!

@TheDhanuroutu 3 года назад

@@BeABetterDev I tried with the cognito identity, but couldn't achieve that. Can you do a video on congito identity to achive the IAM roles to access API gateway.

@asafshay7231 2 года назад

can I create authorizer in sam local api gateway ?

@numpyasnum1768 2 года назад

We're gonna pass in authorizationToken from the user's perspective. Where?! In the header?, the body?, the query params?

@syedjunedali9330 2 года назад

I followed each step but still when I am sending request in podman it is not printing hello world output.

@saidurgakameshkota1246 3 года назад

If we have api key as authorisation why we need lambda

@vladbunin8994 2 месяца назад

What if i need to return token expired 401 error?

@tonante27 2 года назад

How does your Lambda Authorizer detect if an IAM user has been Disabled. We have a two client servers. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked). When I have an active test user, they are allowed to access the API gateway. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access the gateway. I don't want to program a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda function to determine when an IAM user has been deactivated? Thanks

@asafshay7231 2 года назад

is it possible for anonymous user ?

@HimanshuKumar-xz5tk 3 года назад

When I test it in console, it's working fine but in postman it's returning 400 bad request. Please help.

@BeABetterDev 3 года назад

Hi Himanshu, Are you remember to put the /resourceName when making the request? Also make sure you are using the correct type (GET or POST)

@HimanshuKumar-xz5tk 3 года назад

@@BeABetterDev Yes. Although I am using jwt based authorization. I am able to get correct policy in my aws console so I could not find any reason why it's not working with postman or my front-end. My fetch request looks like this:- return await fetch(GET_CUSTOMERS_URI, { method: 'GET', // *GET, POST, PUT, DELETE, etc. mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', headers: { 'authorizationToken': 'Bearer ' + token, 'Content-Type': 'application/json', }, redirect: 'follow', // manual, *follow, error referrerPolicy: 'no-referrer', }) It's working fine when I change authorization to none in /customer resource and I get data. But with authorization, it's giving 400 bad request error.