我使用AWS Lambda和API Gateway创建简单的REST API。 此API将由外部服务(脚本)使用,但我希望保护对API的访问,以便无法公开访问。另外,我想限制某些服务访问API的部分内容,并且能够随时撤销其权限。
API示例:
外部脚本:
我认为我需要为我的脚本创建某种用户并使用它们来访问API。 我当时正在考虑使用Cognito,但我不确定这种设置是否可行。
你有什么想法吗?我是否必须在API网关上创建自己的授权者?
答案 0 :(得分:0)
For this you can use either Custom Authorizer or AWS Cognito user pools.
If you are going ahead with custom authorizer, you can create a lambda function to do the authorization part. A sample code from AWS documentation is like follows
console.log('Loading function');
exports.handler = (event, context, callback) => {
var token = event.authorizationToken;
// Call oauth provider, crack jwt token, etc.
// In this example, the token is treated as the status for simplicity.
switch (token.toLowerCase()) {
case 'allow':
callback(null, generatePolicy('user', 'Allow', event.methodArn));
break;
case 'deny':
callback(null, generatePolicy('user', 'Deny', event.methodArn));
break;
case 'unauthorized':
callback("Unauthorized"); // Return a 401 Unauthorized response
break;
default:
callback("Error: Invalid token");
}
};
var generatePolicy = function(principalId, effect, resource) {
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17'; // default version
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke'; // default action
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
// Can optionally return a context object of your choosing.
authResponse.context = {};
authResponse.context.stringKey = "stringval";
authResponse.context.numberKey = 123;
authResponse.context.booleanKey = true;
return authResponse;
}
You can read more and how to implement custom authorizers using this link.
If you are using User pools, you can integrate API with user pool. You can follow the steps defined in this documentation to do the integration. Quoting from the site,
To create a user pool authorizer using the API Gateway console
- Create a new API or select an existing API in API Gateway.
- From the main navigation pane, choose Authorizers under the specified API.
- Under Authorizers, choose Create and then choose Cognito User Pool Authorizer.
To configure this authorizer:
- Choose a region for Cognito region.
- For Cognito User Pool, choose an available user pool.
- The Authorizer name field will be automatically populated with the chosen user pool name. However, you can customize it if you want to.
- The Identity token source field will be set to method.request.header.Authorization by default. However, you can customize it if you want to. Using the default, Authorization will be the name of the incoming request header to contain an API caller's identity token.
- Optionally, type a regular expression in the App client ID regex field to validate client IDs associated with the user pool.
- Choose Create to finish integrating the user pool with the API.
- Having created the authorizer, you can, optionally, test it by supplying an identity token provisioned from the user pool.
To enable a user pool authorizer on methods
- Choose (or create) a method of your API.
- Choose Method Request.
- Under Authorization Settings, choose the edit icon by the Authorization field.
- Choose one of the available Amazon Cognito User Pool authorizers from the drop-down list.
- Choose the check-mark icon to save the settings.
Repeat these steps for other methods of your choosing.
[Update] Updating the answer with Ashan's suggested methodology.
Another option is to use Cognito user groups with IAM authorization at API gateway. Access permission can be given through policies which are assigned to roles linked with groups.