Configure a cross-account Lambda authorizer - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure a cross-account Lambda authorizer

You can now also use an Amazon Lambda function from a different Amazon account as your API authorizer function. Each account can be in any region where Amazon API Gateway is available. The Lambda authorizer function can use bearer token authentication strategies such as OAuth or SAML. This makes it easy to centrally manage and share a central Lambda authorizer function across multiple API Gateway APIs.

In this section, we show how to configure a cross-account Lambda authorizer function using the Amazon API Gateway console.

These instructions assume that you already have an API Gateway API in one Amazon account and a Lambda authorizer function in another account.

Configure a cross-account Lambda authorizer using the API Gateway console

Log in to the Amazon API Gateway console in your first account (the one that has your API in it) and do the following:

  1. Locate your API and choose Authorizers.

  2. Choose Create New Authorizer.

  3. For Create Authorizer, type an authorizer name in the Name input field.

  4. For Type, choose the Lambda option.

  5. For Lambda Function, copy-paste the full ARN for the Lambda authorizer function that you have in your second account.


    In the Lambda console, you can find the ARN for your function in the upper right corner of the console window.

  6. Leave Lambda Invoke Role blank to let the API Gateway console set a resource-based policy. This policy will appear as a Amazon CLI command in a pop-up after you create your authorizer. The policy grants API Gateway permissions to invoke the authorizer Lambda function. You can also choose to type the name of an IAM role to allow API Gateway to invoke the authorizer Lambda function. For an example of such a role, see Create an assumable IAM role.

    If you choose to let the API Gateway console set the resource-based policy, the Add Permission to Lambda Function dialog is displayed. Choose OK.

  7. For Lambda Event Payload, choose either Token for a TOKEN authorizer or Request for a REQUEST authorizer.

  8. Depending on the choice you made in the previous step, do one of the following:

    1. For the Token options, do the following:

      1. Type the name of a header in Token Source. The API client must include a header of this name to send the authorization token to the Lambda authorizer.

      2. Optionally, provide a RegEx statement in Token Validation input field. API Gateway performs initial validation of the input token against this expression and invokes the authorizer upon successful validation. This helps reduce chances of being charged for invalid tokens.

      3. For Authorization Caching, select or clear the Enabled option, depending on whether you want to cache the authorization policy generated by the authorizer or not. When policy caching is enabled, you can choose to modify the TTL value from the default (300). Setting TTL=0 disables policy caching. When policy caching is enabled, the header name specified in Token Source becomes the cache key.

    2. For the Request option, do the following:

      1. For Identity Sources, type a request parameter name of a chosen parameter type. Supported parameter types are Header, Query String, Stage Variable, and Context. To add more identity sources, choose Add Identity Source.

        API Gateway uses the specified identity sources as the request authorizer caching key. When caching is enabled, API Gateway calls the authorizer's Lambda function only after successfully verifying that all the specified identity sources are present at runtime. If a specified identify source is missing, null, or empty, API Gateway returns a 401 Unauthorized response without calling the authorizer Lambda function.

        When multiple identity sources are defined, they are all used to derive the authorizer's cache key. Changing any of the cache key parts causes the authorizer to discard the cached policy document and generate a new one.

      2. For Authorization Caching, leave the Enabled option selected. Leave the TTL value set to the default (300).

  9. Choose Create to create the new Lambda authorizer for the chosen API.

  10. You'll see a pop-up that contains an aws lambda add-permission command string. This policy grants API Gateway permissions to invoke the authorizer Lambda function. Copy the command and save it for later. You run the command after you create the authorizer.

  11. Choose Create Anyway.

  12. Paste the aws lambda add-permission command string that you copied in a previous step into an Amazon CLI window that is configured for your second account. Replace AUTHORIZER_ID with your authorizer's ID. This will grant your first account access to your second account's Lambda authorizer function.