AWS API网关:如何将IAM身份传递给Lambda函数? [英] AWS API Gateway: How to pass IAM identity to Lambda function?

问题描述

我已经使用AWS API Gateway前端成功配置了对我的Lambda函数的IAM身份验证访问，但是无法找到如何将IAM用户身份传递给我的Lambda函数.

I've successfully configured IAM-authenticated access to my Lambda function with AWS API Gateway front-end, but unable to find how to pass IAM user identity to my Lambda function.

我完全需要IAM用户身份，并且无法在调用IAM用户凭据的情况下运行Lambda函数. 我需要的只是在Lambda函数中调用IAM用户身份.

I need exactly IAM user identity and can not run Lambda function under calling IAM-user credentials. All I need - is to get calling IAM-user identity in my Lambda function.

可以选择吗?

推荐答案

支持从公告:上下文变量:

Support for accessing identity and other information from the Amazon API Gateway request context hadn't been available when you posted the question, but recently been added, see Announcement: Context Variables:

您现在可以访问上下文变量从映射模板中检索有关API调用的上下文信息.您可以访问阶段，资源路径和HTTP方法等数据，以及有关调用方身份的信息.然后，可以使用$ context变量将此信息传递给您的后端集成. [强调我的]

You can now access context variables from within mapping templates to retrieve contextual information about the API call. You can access data such as stage, resource path, and HTTP method, as well as information about the identity of the caller. This information can then be passed along to your backend integration using the $context variable. [emphasis mine]

访问$ context变量具有$context Variable Reference，并且有许多$context.identity.*参数可以解决您的用例.

The referenced documentation on Accessing the $context Variable features a $context Variable Reference and there are various $context.identity.* parameters that should address your use case.

如Soenke对OP的答复中所述，类似Amazon API中的问题网关论坛，目前尚未提供 integration 参数，导致Cognito标识符包含在此$context.identity.*上下文变量中:

As outlined in Soenke's answer to the OPs similar question in the Amazon API Gateway forum, there is an as of yet undocumented integration parameter that results in the Cognito identifier being included in this $context.identity.* context variables:

，以便拥有Cognito(而非IAM！)IdentityId和IdentityPoolId 在Lambda中可用，则必须启用调用方调用 API的"API网关集成请求"页面上的凭据" GW资源.这导致了新的上下文结构身份" (包含"cognitoIdentityId"和"cognitoIdentityPoolId"为 传递给Lambda函数).

in order to have the Cognito (not IAM!) IdentityId and IdentityPoolId available in Lambda, you have to enable "Invoke with caller credentials" on the API Gateway "Integration Request" page of the API GW Resource. This results in a new context struct "identity" (containing "cognitoIdentityId" and "cognitoIdentityPoolId" being passed to the Lambda function).

这篇关于AWS API网关:如何将IAM身份传递给Lambda函数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！