This is an example of a Lambda Authorizer function. There are two Lambda functions in this example. The first one is the authorizer function. The second one is the business function. The business function is exposed through a REST API using the API Gateway. The API Gateway is configured to use the authorizer function to implement a custom logic to authorize the requests.
Note
If your application is protected by JWT tokens, it's recommended to use the native JWT authorizer provided by the API Gateway. The Lambda authorizer is useful when you need to implement a custom authorization logic. See the OAuth 2.0/JWT authorizer example for AWS SAM to learn how to use the native JWT authorizer with SAM.
The authorizer function is a simple function that checks data received from the API Gateway. In this example, the API Gateway is configured to pass the content of the Authorization header to the authorizer Lambda function.
There are two possible responses from a Lambda Authorizer function: policy and simple. The policy response returns an IAM policy document that describes the permissions of the caller. The simple response returns a boolean value that indicates if the caller is authorized or not. You can read more about the two types of responses in the Lambda authorizer response format section of the API Gateway documentation.
This example uses an authorizer that returns the simple response. The authorizer function is defined in the Sources/AuthorizerLambda directory. The business function is defined in the Sources/APIGatewayLambda directory.
To build the package, type the following commands.
swift build
swift package archive --allow-network-connections dockerIf there is no error, there are two ZIP files ready to deploy, one for the authorizer function and one for the business function.
The ZIP file are located under .build/plugins/AWSLambdaPackager/outputs/AWSLambdaPackager
The deployment must include the Lambda functions and the API Gateway. We use the Serverless Application Model (SAM) to deploy the infrastructure.
Prerequisites : Install the SAM CLI
The example directory contains a file named template.yaml that describes the deployment.
To actually deploy your Lambda function and create the infrastructure, type the following sam command.
sam deploy \
--resolve-s3 \
--template-file template.yaml \
--stack-name APIGatewayWithLambdaAuthorizer \
--capabilities CAPABILITY_IAM At the end of the deployment, the script lists the API Gateway endpoint. The output is similar to this one.
-----------------------------------------------------------------------------------------------------------------------------
Outputs
-----------------------------------------------------------------------------------------------------------------------------
Key APIGatewayEndpoint
Description API Gateway endpoint URI
Value https://a5q74es3k2.execute-api.us-east-1.amazonaws.com/demo
-----------------------------------------------------------------------------------------------------------------------------
To invoke the Lambda function, use this curl command line. Be sure to replace the URL with the API Gateway endpoint returned in the previous step.
When invoking the Lambda function without Authorization header, the response is a 401 Unauthorized error.
curl -v https://a5q74es3k2.execute-api.us-east-1.amazonaws.com/demo
...
> GET /demo HTTP/2
> Host: 6sm6270j21.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 401
< date: Sat, 04 Jan 2025 14:03:02 GMT
< content-type: application/json
< content-length: 26
< apigw-requestid: D3bfpidOoAMESiQ=
<
* Connection #0 to host 6sm6270j21.execute-api.us-east-1.amazonaws.com left intact
{"message":"Unauthorized"}When invoking the Lambda function with the Authorization header, the response is a 200 OK status code. Note that the Lambda Authorizer function is configured to accept any value in the Authorization header.
curl -v -H 'Authorization: 123' https://a5q74es3k2.execute-api.us-east-1.amazonaws.com/demo
...
> GET /demo HTTP/2
> Host: 6sm6270j21.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/8.7.1
> Accept: */*
> Authorization: 123
>
* Request completely sent off
< HTTP/2 200
< date: Sat, 04 Jan 2025 14:04:43 GMT
< content-type: application/json
< content-length: 911
< apigw-requestid: D3bvRjJcoAMEaig=
<
* Connection #0 to host 6sm6270j21.execute-api.us-east-1.amazonaws.com left intact
{"headers":{"x-forwarded-port":"443","x-forwarded-proto":"https","host":"6sm6270j21.execute-api.us-east-1.amazonaws.com","user-agent":"curl\/8.7.1","accept":"*\/*","content-length":"0","x-amzn-trace-id":"Root=1-67793ffa-05f1296f1a52f8a066180020","authorization":"123","x-forwarded-for":"81.49.207.77"},"routeKey":"ANY \/demo","version":"2.0","rawQueryString":"","isBase64Encoded":false,"queryStringParameters":{},"pathParameters":{},"rawPath":"\/demo","cookies":[],"requestContext":{"domainPrefix":"6sm6270j21","requestId":"D3bvRjJcoAMEaig=","domainName":"6sm6270j21.execute-api.us-east-1.amazonaws.com","stage":"$default","authorizer":{"lambda":{"abc1":"xyz1"}},"timeEpoch":1735999482988,"accountId":"401955065246","time":"04\/Jan\/2025:14:04:42 +0000","http":{"method":"GET","sourceIp":"81.49.207.77","path":"\/demo","userAgent":"curl\/8.7.1","protocol":"HTTP\/1.1"},"apiId":"6sm6270j21"},"stageVariables":{}}When done testing, you can delete the infrastructure with this command.
sam delete --stack-name APIGatewayWithLambdaAuthorizer