2:37 I think they make you return a relatively complex policy document (as a opposed to a simple "Allow"/"Deny") so that you can Allow/Deny for an array of resource ARNs.
Hi Vishal I think you're right, doing it this way gives a lot of flexibility to developers to produce some interesting experiences. Thanks for watching!
@@BeABetterDev hey boss, I follow your steps step by step, when I test the authorizer I get a "AuthorizerFailureException" error any clues why this would be?
@@BeABetterDev my devs are using a lambda function authoriser using auth0 for an api gateway but ever so often when a client tries to access an endpoint to do a PUT or POST method for example the token has already expired. Any ideas ?
Were exactly is policy document configured? How is the policy response format is validated? Based on Policy response from authorize, how does API gateway interpret to have the intelligence to allow or deny a request? These clarity on these to get full understanding of nicely explained video.
I do this authorization in my lambda functions. I read the API key from body/header, check it's OK, and if it is I run the rest of the code. Is there any reason why I shouldn't be doing this? Any cost or anything else reasons? The only thing I can think of is that you have a single 'authorization function', but I don't know if I'm missing anything else. Thank you. And great videos BTW. Helped me a lot getting a project using Lambda and Dynamo up and running properly.
Did you ever create the Cognito version you mentioned? If so, do you have a link and is there anything you can share on the pros and cons of each or why you might want to be choosing one over the other?
Doing it in your Lambda function means you're mixing your function's implementation with authorization concerns. Ideally we want to separate our concerns and use the SRP (single reponsibility principle).
Great, to the point video, exactly what I wanted. Thank you. Does anyone know if a request header can be updated in the custom authorizer before the sending the request to the service fronted by the API gateway?
Can we use this Authorizer (lambda function that authorises the token) for multiple lambda functions (lambda function that returns the actual response)?
Thank you this is incredible. Quick question, how does the end user of the API provide the authorizationToken? After I deploy the API and I need to share it with my end users, what step is needed for them to invoke this API and enter the token? Can you please clarify? Thank you!
Hi Anuradha, Great question. So this method (using a Lambda authorizer) assumes you are using you are validating your users login and password through a separate API and generating a token that is stored in a database somewhere. When calling the API in this video, the token would be provided as an input and validated by the Lambda authorizer by inspecting the token to ensure it is in the database. This is just one way of doing it but hopefully it gives you an idea of how it could be done. If you are looking for an easier way to manage user credentials and tokens, check out my other video where I did the same thing with API gateway, but used a Amazon Cognito user pool authorizer. Link here: th-cam.com/video/oFSU6rhFETk/w-d-xo.html Hope this helps, Daniel
Awesome! Thanks I have doubt, can i return a different response if is it Unauthorized ? A custom object ? And I have troubles to get that message "Unauthorized" from Angular, always return status 0, from postman all Ok
Thanks for the video. I have a doubt about what the difference is if I'm writing the logic to authorize the Api in connect Lambda itself instead of a custom lambda authorizer.
Suppose you have 100 different lambdas . Then you will have to write the same code 100 times . Using this you just need to attach this lambda to every lambda .
I dont get, the test within AWS is working, but the test with postman is always wrong. I dont have the "explicit deny", everytime the "User is not authorized to access this resource" Anyone with the same issue?
3 ปีที่แล้ว +3
I set the ARN like this and worked , note the last backslash: arn:aws:execute-api:us-west-2:YYYYYYYYYY:XXXXXXXX/test/GET/customers/
thanks for the great tutorial, really helpful! one thing I still can't get, how can we pass actual tokens to this lambda authorizer (as in instead of"abc123" in this example)?
Have a question. Is it safe to use payload info in my access token from my backend lambda handler without decoding the token with public key as far as its been verified in lambda authorizer??
Thanks for a helpful tutorial. Why name the GET lambda function DemoHandler? Doesn't this function return 'customer' data? Why not name it CustomerHandler?
Hey i have doubt we are having two functions one for authorization and another for the actual request cant we end making use of one function only in which first we'll perform authorization and then perform the rest of the task.
Could I use this same methodology if my authorized resource is a Python flask api? Basically, I want to use this method to authorize access to my Python api
I have created the rest API as per your suggestion. But the only difference is that is a private API as I cannot create a regional API. This is creating issue while trying to call authorizer lambda as it is mandatory to give resource policy to the API. Could you please suggest how to do the authorization for a private rest API?
@@BeABetterDev I tried with the cognito identity, but couldn't achieve that. Can you do a video on congito identity to achive the IAM roles to access API gateway.
Hello, Thanks for your videos that are very clear. I am new in AWS but it seems that the console has changed and I do not see the same thinks that you present. Your version seems much better. Do you think how I could use the same console version as yours ? For example in my version I do not find any test capability. I do not have resource menu ...
I answer my own question;-) It could help someone else. I finally found the reason, I created an HTTP API and not a REST API. It leads to have a different UI.
Hi Damien. You beat me to it. It looks like the AWS team is slowly migrating users to HTTP APIs, but the concepts demonstrated in this video should remain the same. Daniel
hello , i don't know much about it, can u please how can resolve 403 Forbidden error showing in my postman response. or do i need to change any other setting ?
Hi, thanks for the video! Configure exactly the same as mentioned but with the difference that my API is not in a lambda. I redirect http traffic to my server. When I post to my API I get the following error: "Message": "User is not authorized to access this resource" Do you know what that could be? Thanks!
How does your Lambda Authorizer detect if an IAM user has been Disabled. We have a two client servers. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked). When I have an active test user, they are allowed to access the API gateway. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access the gateway. I don't want to program a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda function to determine when an IAM user has been deactivated? Thanks
Hi, a very good video on this! I have a question though, what is principalID and why is it set to the same value as the passed auth value? Also, I see that it is hard-coded. So, if I have a bunch of people, each with a different token value, what do I have to do in this case? Thanks, cheers!
That's a good question. This video also doesn't talk about API Gateway input parameters. Can we get inputs coming to API gateway to the lambda authorizer in POST method? (I know it can be done using query string but query string is not safe because request appends to URL in that case.)
Quick question. If we are using two lambdas (one for authentication and another one for the actual request), doesn't that mean that we may need to cold start both functions? That will increase dramatically the latency between request and response. In my experience a C# lambda function cold start may add at to 7 seconds in comparison with a warm start.
@@BeABetterDev Yes. Although I am using jwt based authorization. I am able to get correct policy in my aws console so I could not find any reason why it's not working with postman or my front-end. My fetch request looks like this:- return await fetch(GET_CUSTOMERS_URI, { method: 'GET', // *GET, POST, PUT, DELETE, etc. mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', headers: { 'authorizationToken': 'Bearer ' + token, 'Content-Type': 'application/json', }, redirect: 'follow', // manual, *follow, error referrerPolicy: 'no-referrer', }) It's working fine when I change authorization to none in /customer resource and I get data. But with authorization, it's giving 400 bad request error.
Hi man , hope you're doing well , your youtube channel is teaching gold and i need to spend a lot of time in here but i dunno where to start knowing that i'm new to aws , could you or anyone of your fans help me please ? i appreciate your help
Greetings from São Paulo/Brazil my friend, congratulations for your incredible work.
Thank you! Cheers!
The is exactly the foundation I needed to get started with gateway auth. Thank you thank you thank you thank you thank you.
I'm so grateful!
Without this crucial information about delay on 22:08 I was unable to attach my authorizer to a method.
2:37 I think they make you return a relatively complex policy document (as a opposed to a simple "Allow"/"Deny") so that you can Allow/Deny for an array of resource ARNs.
Hi Vishal
I think you're right, doing it this way gives a lot of flexibility to developers to produce some interesting experiences.
Thanks for watching!
You're right Vishal. In that way one could allow/deny an entire "tree" of related endpoints based on a role, for instance.
Can't wait to see another interessting video, great content as always.
Keep the good work !
Thank you very much!
Awesome video. To the point and crystal clear. Thank you for making this video. Definitely going to recommend this channel to my peers!
Thanks Vighnesh for the kind words and super glad you enjoyed!
@@BeABetterDev hey boss, I follow your steps step by step, when I test the authorizer I get a "AuthorizerFailureException" error any clues why this would be?
@@BeABetterDev my devs are using a lambda function authoriser using auth0 for an api gateway but ever so often when a client tries to access an endpoint to do a PUT or POST method for example the token has already expired. Any ideas ?
Very helpful video. I had it done through cloudformation template and it worked. Keep up the good work.
Glad it helped Vijay!
Were exactly is policy document configured? How is the policy response format is validated? Based on Policy response from authorize, how does API gateway interpret to have the intelligence to allow or deny a request? These clarity on these to get full understanding of nicely explained video.
what a clear explanation, great job
Thanks Mohamed! Glad you enjoyed and thanks for the support!
Excellent Demo! Thankyou soo much sir
You're very welcome sudhir!
What an amazing video. Clear and very well organized explanation . It worked like a charm for me. Thank you for your work!
Legend, I had my handler make requests to the auth service and not working, this is so handy. Thanks
Oh My this video is a life saver
Thanks so much for this
You're very welcome!
I do this authorization in my lambda functions. I read the API key from body/header, check it's OK, and if it is I run the rest of the code. Is there any reason why I shouldn't be doing this? Any cost or anything else reasons? The only thing I can think of is that you have a single 'authorization function', but I don't know if I'm missing anything else. Thank you. And great videos BTW. Helped me a lot getting a project using Lambda and Dynamo up and running properly.
wow thanks!, you saved me hours of time.
Glad I could help.
Did you ever create the Cognito version you mentioned? If so, do you have a link and is there anything you can share on the pros and cons of each or why you might want to be choosing one over the other?
here's the link: th-cam.com/video/oFSU6rhFETk/w-d-xo.html
@BeABetterDev pros and cons in the video?
Crystal Clear Bro
Thank you Thamizhi!
what is the advantage of this vs handling the authorization in the original lambda handler with your business logic?
Doing it in your Lambda function means you're mixing your function's implementation with authorization concerns. Ideally we want to separate our concerns and use the SRP (single reponsibility principle).
Awesome video. To the point and crystal clear. Thank you for making this video.
You're very welcome!
Great video, it helped me understand the flow. Thanks a lot
Your work is appreciated.
Thank you!
How can we contruct authResponse , Is there ant predefined json there we can use ?
Great, to the point video, exactly what I wanted. Thank you. Does anyone know if a request header can be updated in the custom authorizer before the sending the request to the service fronted by the API gateway?
Excellent video! Keep up the good work.
Thank you very much!
Your tutorials are great and helpful.
Thanks so much Vinod!
What a amazing tutorial. Thank you
Great video! Thanks
You're very welcome Breno!
Oh YEAH! Gonna watch this tonight! Thanks man!
Hope you like it!
@@BeABetterDev It was awesome. Thanks again! I also appreciate linking to the source code Gist.
Can we use this Authorizer (lambda function that authorises the token) for multiple lambda functions (lambda function that returns the actual response)?
Thank you this is incredible. Quick question, how does the end user of the API provide the authorizationToken? After I deploy the API and I need to share it with my end users, what step is needed for them to invoke this API and enter the token?
Can you please clarify?
Thank you!
Hi Anuradha,
Great question. So this method (using a Lambda authorizer) assumes you are using you are validating your users login and password through a separate API and generating a token that is stored in a database somewhere.
When calling the API in this video, the token would be provided as an input and validated by the Lambda authorizer by inspecting the token to ensure it is in the database.
This is just one way of doing it but hopefully it gives you an idea of how it could be done. If you are looking for an easier way to manage user credentials and tokens, check out my other video where I did the same thing with API gateway, but used a Amazon Cognito user pool authorizer. Link here: th-cam.com/video/oFSU6rhFETk/w-d-xo.html
Hope this helps,
Daniel
@@BeABetterDev Thank you Daniel
This was really easy to follow! Thank you!
You're very welcome Neha!
Really clear and helpful. Thanks.
You're very welcome!
Perfect explanation special thanks from Tamil Crypto
You're very welcome!
Is putting account ID into the policyDocument good practice? Is there any other way to do that?
Super Explanation !!
Thanks Prasad!
This is very helpful.
Thank you!
Hi ! Always great . I still dont understand how you authenticate the user ,how the user got the autherization token.
This is fantastic. Would love to see, how and where authorization token is generated. Do you have a video on that?
Hi Krishnan, I have another video coming out soon on securing your API using Cognito which uses user tokens. Stay tuned!
Can we configure customerId and authToken both to AuthLambda?
Awesome! I appreciate this clear and easy demo.
You're very welcome!
We expect more videos from you.. like this thankyou
You are a day saver.
Thankyou this is really helpful to me...
Youre very welcome Vijay!
Awesome dude. Thank you
You're very welcome satya!
Thank you, Amazing Video
You’re very welcome!
Awesome! Thanks
I have doubt, can i return a different response if is it Unauthorized ? A custom object ?
And I have troubles to get that message "Unauthorized" from Angular, always return status 0, from postman all Ok
This is some good work. Thanks.
Thanks Himanshu! Glad you enjoyed.
Thanks for the video. I have a doubt about what the difference is if I'm writing the logic to authorize the Api in connect Lambda itself instead of a custom lambda authorizer.
Suppose you have 100 different lambdas . Then you will have to write the same code 100 times . Using this you just need to attach this lambda to every lambda .
thank you! It was very helpful
I dont get, the test within AWS is working, but the test with postman is always wrong.
I dont have the "explicit deny", everytime the "User is not authorized to access this resource"
Anyone with the same issue?
I set the ARN like this and worked , note the last backslash: arn:aws:execute-api:us-west-2:YYYYYYYYYY:XXXXXXXX/test/GET/customers/
@ yes thanks ! "Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]" as per doc.
thanks for the great tutorial, really helpful! one thing I still can't get, how can we pass actual tokens to this lambda authorizer (as in instead of"abc123" in this example)?
Have a question. Is it safe to use payload info in my access token from my backend lambda handler without decoding the token with public key as far as its been verified in lambda authorizer??
Very good video! Thanks a lot!
Thanks Mohammed! Glad you enjoyed.
Appreciate your knowledge !
Glad you enjoyed Kunal!
Thanks for a helpful tutorial.
Why name the GET lambda function DemoHandler? Doesn't this function return 'customer' data? Why not name it CustomerHandler?
Great video!!!!
Thanks Alexandre!
Hey i have doubt we are having two functions one for authorization and another for the actual request cant we end making use of one function only in which first we'll perform authorization and then perform the rest of the task.
Could I use this same methodology if my authorized resource is a Python flask api? Basically, I want to use this method to authorize access to my Python api
Nice, is it possible to use AWS_IAM authorizer with the lambda authorizer too?
Thanks for this! Exactly what I am looking to implement next! What's the program you're using for the architecture diagram??
Hi Rosbel! You're very welcome. The software I am using is called www.draw.io !
beautifully explained
How can I attach the custom response to the authorizer? On Deny i wanna response with custom message.
It seems to serve the same purpose as creating an API key but has more developed options.
Hi how can we find policy document which was in authResponse?
Nice video, help me a lot !!
great stuff, thank you!
My pleasure!
I have created the rest API as per your suggestion. But the only difference is that is a private API as I cannot create a regional API. This is creating issue while trying to call authorizer lambda as it is mandatory to give resource policy to the API. Could you please suggest how to do the authorization for a private rest API?
Can we do with Cognito Authorizer and access to some particular API gateway resource?
Hi Dhanu, Yes! You should check out Cognito Identity Pools which accomplish exactly this!
@@BeABetterDev I tried with the cognito identity, but couldn't achieve that. Can you do a video on congito identity to achive the IAM roles to access API gateway.
i want ec2 instance start ,stop using lambda and apigateway with authorization. please guide me the another video.
can you do a nodejs version for this please?
can I create authorizer in sam local api gateway ?
Awesome!!! TRhanks a lot.
Hello, Thanks for your videos that are very clear. I am new in AWS but it seems that the console has changed and I do not see the same thinks that you present. Your version seems much better. Do you think how I could use the same console version as yours ? For example in my version I do not find any test capability. I do not have resource menu ...
I answer my own question;-) It could help someone else. I finally found the reason, I created an HTTP API and not a REST API. It leads to have a different UI.
Hi Damien. You beat me to it. It looks like the AWS team is slowly migrating users to HTTP APIs, but the concepts demonstrated in this video should remain the same.
Daniel
hello , i don't know much about it, can u please how can resolve 403 Forbidden error showing in my postman response. or do i need to change any other setting ?
thank you!
You're very welcome!
Hi, thanks for the video!
Configure exactly the same as mentioned but with the difference that my API is not in a lambda. I redirect http traffic to my server.
When I post to my API I get the following error: "Message": "User is not authorized to access this resource"
Do you know what that could be? Thanks!
Super helpful, thanks.
You're very welcome Pedro!
What if i need to return token expired 401 error?
Hi , Make video using azure ad group for api auth restrictions using lambda authorizer.
How does your Lambda Authorizer detect if an IAM user has been Disabled. We have a two client servers. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked). When I have an active test user, they are allowed to access the API gateway. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access the gateway. I don't want to program a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda function to determine when an IAM user has been deactivated? Thanks
Could you please do a video on using a Cognito Authorizer for securing API Gateway?
Hi Nitsy, this is coming soon. Thanks for the suggestion!
We're gonna pass in authorizationToken from the user's perspective. Where?! In the header?, the body?, the query params?
Thanks
You're very welcome Isaac!
I followed each step but still when I am sending request in podman it is not printing hello world output.
Hi, a very good video on this! I have a question though, what is principalID and why is it set to the same value as the passed auth value? Also, I see that it is hard-coded. So, if I have a bunch of people, each with a different token value, what do I have to do in this case? Thanks, cheers!
That's a good question. This video also doesn't talk about API Gateway input parameters. Can we get inputs coming to API gateway to the lambda authorizer in POST method? (I know it can be done using query string but query string is not safe because request appends to URL in that case.)
Keep this up brohhh
Will do! Thanks Amila.
Quick question. If we are using two lambdas (one for authentication and another one for the actual request), doesn't that mean that we may need to cold start both functions? That will increase dramatically the latency between request and response.
In my experience a C# lambda function cold start may add at to 7 seconds in comparison with a warm start.
You may want to check caching in Lambda Authorizer
Yes it does latency. Which is why I recommend writing the authorizer function with Rust.
is it possible for anonymous user ?
If we have api key as authorisation why we need lambda
thanks man
Great 🎉
When I test it in console, it's working fine but in postman it's returning 400 bad request. Please help.
Hi Himanshu,
Are you remember to put the /resourceName when making the request? Also make sure you are using the correct type (GET or POST)
@@BeABetterDev Yes. Although I am using jwt based authorization. I am able to get correct policy in my aws console so I could not find any reason why it's not working with postman or my front-end.
My fetch request looks like this:-
return await fetch(GET_CUSTOMERS_URI, {
method: 'GET', // *GET, POST, PUT, DELETE, etc.
mode: 'cors', // no-cors, *cors, same-origin
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'same-origin',
headers: {
'authorizationToken': 'Bearer ' + token,
'Content-Type': 'application/json',
},
redirect: 'follow', // manual, *follow, error
referrerPolicy: 'no-referrer',
})
It's working fine when I change authorization to none in /customer resource and I get data. But with authorization, it's giving 400 bad request error.
good video
Thanks!
thank you
For cors problem:
1. Api gw, enable cors
2. allow headers
I’m getting CORS error
Hi man , hope you're doing well , your youtube channel is teaching gold and i need to spend a lot of time in here but i dunno where to start knowing that i'm new to aws , could you or anyone of your fans help me please ? i appreciate your help
What if we are using Cognito?
12:30 nice. Would love to see a video on this. Do you use terraform at all?
The videos using the console are good for learning but I use Terraform for real work.
Wow
I couldn't replicate the postman attempt, no matter what, it just says I'm unauthorized. I'll watch the video once more, I may have missed something