在API Gateway中使用AWS Lambda Authorizer [英] Using AWS Lambda Authorizer in API Gateway

问题描述

我的WEB API托管在Docker中.我的Angular客户端将发送一个JWT令牌来访问这些API中的任何一个.我想在调用请求的API客户端之前利用AWS API Gateway功能添加授权检查.从文档中，我看到了我们可以利用Lambda Authorizer概念来实现这一目标.但是话又说回来，尽管我可以使用Lambda Authorizer来提供一个可以验证用户身份的DOT NET CORE API.

I have my WEB API's hosted in Docker. My Angular client will send a JWT token to access any of these API's. I wanted to make use of AWS API Gateway feature to add an Authorization check before calling the API client requested. From the docs I see that we can leverage the Lambda Authorizer concept to Achieve this. But then again I though why using Lambda Authorizer when I can come up with an DOT NET CORE API which can validate the user.

1. 我的Lambda网关对我的情况有意义吗?
2. 如果这样做，lambda Authorizer的输出将是什么?一个简单的true/false表示令牌有效或无效?

我看到这就是响应可能/可能看起来像的样子.在我看来，这应该如何翻译

I see that this is what the response should/might look like. How this should translate to in my case

{
              "policyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                  {
                    "Action": "execute-api:Invoke",
                    "Resource": [
                      "arn:aws:execute-api:us-east-1:1234567:myapiId/staging/POST/*"
                    ],
                    "Effect": "Allow"
                  }
                ]
              },
              "principalId": "Foo"
            }

1. 执行Lambda Authorizer后，API网关中应该发生什么?谁调用了客户要求的我的实际API?

推荐答案

如果您使用的是Lambda Authorizer，则返回的是 Allow 或 Deny 策略

If you are using a Lambda Authorizer, returning an Allow or Deny Policy is what you are looking for.

这实际上授予了API网关调用底层目标的权限.我知道乍一看听起来很奇怪，但这就是它的工作原理.将 Allow 策略想像成 true 返回语句(匹配凭据)之类的东西，而 Deny 策略更像是 false return语句(凭据不匹配/根据您的规则，权限不足，等等).

This essentially grants API Gateway permissions to invoke the underlying target. I know it sounds weird at a first glance, but that's how it works. Think of an Allow policy as a true return statement (credentials matched) kind of thing whilst a Deny policy is more of a false return statement (credentials didn't match / not enough permissions based on your rules, etc).

要让您踏上第一步，您只需复制/粘贴位于

To get you off ground, you can simply copy/paste the code available at the docs and modify the authentication way to your liking (the docs show an example using a header with Allow or Deny values, which is definitely not what you want, that's just meant for the sake of an example).

因此，通过列举所有答案返回您的问题:

So, back to your question by enumerating all the answers:

1. 是的，但是它被称为Lambda授权者，而不是Lambda网关
2. 分别针对有效/无效令牌的 Allow 或 Deny 策略.
3. 如果Lambda授权者以 Allow 策略进行响应，则它将调用目标(可以是Lambda函数，SNS主题，HTTP端点-这很可能是您的情况-依此类推上).授权者将仅充当拦截器，并决定是否将呼叫代理到目标.

1. Yes, but it's called a Lambda Authorizer instead of a Lambda Gateway
2. Either an Allow or Deny policy for valid/invalid tokens respectively.
3. If the Lambda Authorizer responds with an Allow policy, it will then invoke the target (which can be a Lambda function, an SNS Topic, an HTTP endpoint - this is likely your case - and so on). The authorizer will just act as an interceptor and decide whether to proxy the call to the target or not.

这篇关于在API Gateway中使用AWS Lambda Authorizer的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！