AWS|API 自定义授权器——输出规范(如何返回授权结果)

by 穿卡芦苇 #AWS手册

上级总览文章:➦ API Gateway 用 Lambda 自定义 Authorizer

If you want to deny the request, you can throw an error in your Lambda function to stop the request from proceeding further.

If you want to allow the request, you have more work to do. Your Lambda function will need to return an object with the following shape:

相关参考 Output from an Amazon API Gateway Lambda authorizer

The Complete Guide to Custom Authorizers with AWS Lambda and API Gateway

A Lambda authorizer function’s output is a dictionary-like object, which must include the principal identifier (principalId) and a policy document (policyDocument) containing a list of policy statements. The output can also include a context map containing key-value pairs. If the API uses a usage plan (the apiKeySource is set to AUTHORIZER), the Lambda authorizer function must return one of the usage plan’s API keys as the usageIdentifierKey property value.



	"principalId": "my-username",
	"policyDocument": {
		"Version": "2012-10-17",
		"Statement": [
				"Action": "execute-api:Invoke",
				"Effect": "Allow",
				"Resource": "arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource"
	"context": {
		"org": "my-org",
		"role": "admin",
		"createdAt": "2019-01-03T12:15:42"
  • principalId,必须
       It represents the principal identifier for the caller. This may vary from application-to-application, but it could be a username, an email address, or a unique ID.   -  

Python 示例代码

# Help function to generate an IAM policy
def generatePolicy(principalId, effect, resource, apikey=None):
    authResponse = {}

    authResponse['principalId'] = principalId #"user" or any string
    if (effect and resource):
        policyDocument = {}
        policyDocument['Version'] = '2012-10-17'
        policyDocument['Statement'] = []
        statementOne = {}
        statementOne['Action'] = 'execute-api:Invoke'
        statementOne['Effect'] = effect #"Allow|Deny|Unauthorized"
        statementOne['Resource'] = resource #methodArn that get from event parameter, like:"arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]"
        authResponse['policyDocument'] = policyDocument

    # Optional output with custom properties of the String, Number or Boolean type.
    authResponse['context'] = {
        "stringKey": "a",
        "numberKey": 1,
        "booleanKey": True


    return authResponse


结论:不可以,目前还不支持。 (via Stackoverflow)


error code: AWS doesn’t fully allow a CA implementation to dictate the error code sent back to caller.

If the CA returns an Auth Policy which does not have resource/method that was invoked in one of the statements with action Allow, then user gets a 403 with something like “Not authorized to access resource”

If the CA returns an Auth Policy which has statements with action Deny that contains resource/method that was invoked, then user gets a 403 with something like “access denied explicitly with a Deny”

If the Exception raised by CA has message “Unauthorized” then user gets 401 with message “Unauthorized”.

If CA throws an exception with any other message then user gets HTTP-500 internal server error (Authorizer Configuration Error) and call is rejected/not-authorized.

完整步骤索引文章:➦ API Gateway 用 Lambda 自定义 Authorizer