在API Gateway中使用AWS Lambda Authorizer [英] Using AWS Lambda Authorizer in API Gateway
问题描述
我的WEB API托管在Docker中.我的Angular客户端将发送一个JWT令牌来访问这些API中的任何一个.我想在调用请求的API客户端之前利用AWS API Gateway功能添加授权检查.从文档中,我看到了我们可以利用Lambda Authorizer概念来实现这一目标.但是话又说回来,尽管我可以使用Lambda Authorizer来提供一个可以验证用户身份的DOT NET CORE API.
I have my WEB API's hosted in Docker. My Angular client will send a JWT token to access any of these API's. I wanted to make use of AWS API Gateway feature to add an Authorization check before calling the API client requested. From the docs I see that we can leverage the Lambda Authorizer concept to Achieve this. But then again I though why using Lambda Authorizer when I can come up with an DOT NET CORE API which can validate the user.
- 我的Lambda网关对我的情况有意义吗?
- 如果这样做,lambda Authorizer的输出将是什么?一个简单的true/false表示令牌有效或无效?
我看到这就是响应可能/可能看起来像的样子.在我看来,这应该如何翻译
I see that this is what the response should/might look like. How this should translate to in my case
{
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:1234567:myapiId/staging/POST/*"
],
"Effect": "Allow"
}
]
},
"principalId": "Foo"
}
- 执行Lambda Authorizer后,API网关中应该发生什么?谁调用了客户要求的我的实际API?
推荐答案
如果您使用的是Lambda Authorizer,则返回的是 Allow
或 Deny
策略
If you are using a Lambda Authorizer, returning an Allow
or Deny
Policy is what you are looking for.
这实际上授予了API网关调用底层目标的权限.我知道乍一看听起来很奇怪,但这就是它的工作原理.将 Allow
策略想像成 true
返回语句(匹配凭据)之类的东西,而 Deny
策略更像是 false
return语句(凭据不匹配/根据您的规则,权限不足,等等).
This essentially grants API Gateway permissions to invoke the underlying target. I know it sounds weird at a first glance, but that's how it works. Think of an Allow
policy as a true
return statement (credentials matched) kind of thing whilst a Deny
policy is more of a false
return statement (credentials didn't match / not enough permissions based on your rules, etc).
To get you off ground, you can simply copy/paste the code available at the docs and modify the authentication way to your liking (the docs show an example using a header with Allow
or Deny
values, which is definitely not what you want, that's just meant for the sake of an example).
因此,通过列举所有答案返回您的问题:
So, back to your question by enumerating all the answers:
- 是的,但是它被称为Lambda授权者,而不是Lambda网关
- 分别针对有效/无效令牌的
Allow
或Deny
策略. - 如果Lambda授权者以
Allow
策略进行响应,则它将调用目标(可以是Lambda函数,SNS主题,HTTP端点-这很可能是您的情况-依此类推上).授权者将仅充当拦截器,并决定是否将呼叫代理到目标.
- Yes, but it's called a Lambda Authorizer instead of a Lambda Gateway
- Either an
Allow
orDeny
policy for valid/invalid tokens respectively. - If the Lambda Authorizer responds with an
Allow
policy, it will then invoke the target (which can be a Lambda function, an SNS Topic, an HTTP endpoint - this is likely your case - and so on). The authorizer will just act as an interceptor and decide whether to proxy the call to the target or not.
这篇关于在API Gateway中使用AWS Lambda Authorizer的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!