Lambda authorizer examples for Amazon SAM
The AWS::Serverless::Api resource type supports two types of Lambda
authorizers: TOKEN authorizers and REQUEST authorizers. The
AWS::Serverless::HttpApi resource type supports only REQUEST
authorizers. The following are examples of each type.
Lambda
TOKEN authorizer example (AWS::Serverless::Api)
You can control access to your APIs by defining a Lambda TOKEN authorizer
within your Amazon SAM template. To do this, you use the ApiAuth data type.
The following is an example Amazon SAM template section for a Lambda TOKEN
authorizer:
Note
In the following example, the SAM FunctionRole is implicitly generated.
Resources: MyApi: Type: AWS::Serverless::Api Properties: StageName: Prod Auth: DefaultAuthorizer: MyLambdaTokenAuthorizer Authorizers: MyLambdaTokenAuthorizer: FunctionArn: !GetAtt MyAuthFunction.Arn MyFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: index.handler Runtime: nodejs12.x Events: GetRoot: Type: Api Properties: RestApiId: !Ref MyApi Path: / Method: get MyAuthFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: authorizer.handler Runtime: nodejs12.x
For more information about Lambda authorizers, see Use API Gateway Lambda authorizers in the API Gateway Developer Guide.
Lambda
REQUEST authorizer example (AWS::Serverless::Api)
You can control access to your APIs by defining a Lambda REQUEST authorizer
within your Amazon SAM template. To do this, you use the ApiAuth data type.
The following is an example Amazon SAM template section for a Lambda REQUEST
authorizer:
Resources: MyApi: Type: AWS::Serverless::Api Properties: StageName: Prod Auth: DefaultAuthorizer: MyLambdaRequestAuthorizer Authorizers: MyLambdaRequestAuthorizer: FunctionPayloadType: REQUEST FunctionArn: !GetAtt MyAuthFunction.Arn Identity: QueryStrings: - auth MyFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: index.handler Runtime: nodejs12.x Events: GetRoot: Type: Api Properties: RestApiId: !Ref MyApi Path: / Method: get MyAuthFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: authorizer.handler Runtime: nodejs12.x
For more information about Lambda authorizers, see Use API Gateway Lambda authorizers in the API Gateway Developer Guide.
Lambda authorizer example (AWS::Serverless::HttpApi)
You can control access to your HTTP APIs by defining a Lambda authorizer within your Amazon SAM template. To do this, you use the HttpApiAuth data type.
The following is an example Amazon SAM template section for a Lambda authorizer:
Resources: MyApi: Type: AWS::Serverless::HttpApi Properties: StageName: Prod Auth: DefaultAuthorizer: MyLambdaRequestAuthorizer Authorizers: MyLambdaRequestAuthorizer: FunctionArn: !GetAtt MyAuthFunction.Arn FunctionInvokeRole: !GetAtt MyAuthFunctionRole.Arn Identity: Headers: - Authorization AuthorizerPayloadFormatVersion: 2.0 EnableSimpleResponses: true MyFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: index.handler Runtime: nodejs12.x Events: GetRoot: Type: HttpApi Properties: ApiId: !Ref MyApi Path: / Method: get PayloadFormatVersion: "2.0" MyAuthFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src Handler: authorizer.handler Runtime: nodejs12.x