文章目录
  • ↑标题
  • ↓评论
  • AWS|API 自定义授权器——输出规范(如何返回授权结果)

    #AWS手册 穿卡芦苇

    上级总览文章:➦ API Gateway 用 Lambda 自定义 Authorizer

    If you want to deny the request, you can throw an error in your Lambda function to stop the request from proceeding further.

    If you want to allow the request, you have more work to do. Your Lambda function will need to return an object with the following shape:

    相关参考 Output from an Amazon API Gateway Lambda authorizer

    The Complete Guide to Custom Authorizers with AWS Lambda and API Gateway

    A Lambda authorizer function’s output is a dictionary-like object, which must include the principal identifier (principalId) and a policy document (policyDocument) containing a list of policy statements. The output can also include a context map containing key-value pairs. If the API uses a usage plan (the apiKeySource is set to AUTHORIZER), the Lambda authorizer function must return one of the usage plan’s API keys as the usageIdentifierKey property value.

    返回结果的格式规范

    必须按照如下格式,返回一个字典类型的数据:

    {
    	"principalId": "my-username",
    	"policyDocument": {
    		"Version": "2012-10-17",
    		"Statement": [
    			{
    				"Action": "execute-api:Invoke",
    				"Effect": "Allow",
    				"Resource": "arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource"
    		]
    	},
    	"context": {
    		"org": "my-org",
    		"role": "admin",
    		"createdAt": "2019-01-03T12:15:42"
    	}
    }
    
    • principalId,必须
         It represents the principal identifier for the caller. This may vary from application-to-application, but it could be a username, an email address, or a unique ID.   -  

    Python 示例代码

    # Help function to generate an IAM policy
    def generatePolicy(principalId, effect, resource, apikey=None):
        authResponse = {}
    
        authResponse['principalId'] = principalId #"user" or any string
        if (effect and resource):
            policyDocument = {}
            policyDocument['Version'] = '2012-10-17'
            policyDocument['Statement'] = []
            statementOne = {}
            statementOne['Action'] = 'execute-api:Invoke'
            statementOne['Effect'] = effect #"Allow|Deny|Unauthorized"
            statementOne['Resource'] = resource #methodArn that get from event parameter, like:"arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]"
            policyDocument['Statement'].append(statementOne)
            authResponse['policyDocument'] = policyDocument
    
        # Optional output with custom properties of the String, Number or Boolean type.
        authResponse['context'] = {
            "stringKey": "a",
            "numberKey": 1,
            "booleanKey": True
        }
    
        authResponse['usageIdentifierKey']=apikey
    
        return authResponse
    

    能否/如何自定义返回的错误消息

    结论:不可以,目前还不支持。 (via Stackoverflow)

    会返回的错误消息有:

    error code: AWS doesn’t fully allow a CA implementation to dictate the error code sent back to caller.

    If the CA returns an Auth Policy which does not have resource/method that was invoked in one of the statements with action Allow, then user gets a 403 with something like “Not authorized to access resource”

    If the CA returns an Auth Policy which has statements with action Deny that contains resource/method that was invoked, then user gets a 403 with something like “access denied explicitly with a Deny”

    If the Exception raised by CA has message “Unauthorized” then user gets 401 with message “Unauthorized”.

    If CA throws an exception with any other message then user gets HTTP-500 internal server error (Authorizer Configuration Error) and call is rejected/not-authorized.

    完整步骤索引文章:➦ API Gateway 用 Lambda 自定义 Authorizer


    (正文结束。芝士就是力量!