Custom Authorizers for AI APIs with AWS Lambda Integrations

Question

Pulumi · Accepted Answer

Custom authorizers on AWS API Gateway are a way to handle authorization logic before a request is processed by an API endpoint. These authorizers use AWS Lambda functions to execute the authorization logic, potentially using a variety of strategies such as token validation, looking up permissions from a database, or integrating with 3rd-party identity providers.

To implement a custom authorizer for an API on AWS, you would typically go through these steps:

1. **Create a Lambda Function**: This is the function that will contain your authorization logic. It should return a policy document that specifies the allowed actions for the principal (user).

2. **Create the API Gateway Authorizer**: This connects your Lambda function to API Gateway as an authorizer.

3. **Create the API Gateway Resources and Methods**: Define your API's structure and methods, specifying the custom authorizer for the methods that need protection.

4. **Deploy the API**: Make the API available for your users.

Below is a Pulumi program in Python which accomplishes these steps. We're setting up a simple AWS Lambda function which will act as our authorizer and an AWS API Gateway REST API which will use this authorizer.

```python
import pulumi
import pulumi_aws as aws

# Create an IAM role that the Lambda function can assume
lambda_role = aws.iam.Role("lambdaRole",
    assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            }
        }]
    }""")

# Attach the AWSLambdaBasicExecutionRole policy to the role
policy_attachment = aws.iam.RolePolicyAttachment("lambdaRoleAttachment",
    role=lambda_role.name,
    policy_arn="arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole")

# Create the Lambda function that will handle our authorization logic
custom_authorizer_lambda = aws.lambda_.Function("customAuthorizerLambda",
    code=pulumi.FileArchive("./lambda_authorizer.zip"),
    role=lambda_role.arn,
    handler="authorizer.handler",
    runtime="python3.8",
    tags={
        "Name": "api_custom_authorizer",
    })

# Create an API Gateway authorizer that invokes the Lambda function
authorizer = aws.apigateway.Authorizer("apiAuthorizer",
    rest_api=api.id,
    authorizer_uri=custom_authorizer_lambda.invoke_arn.apply(
        lambda arn: f"arn:aws:apigateway:{aws.get_region().name}:lambda:path/2015-03-31/functions/{arn}/invocations"),
    authorizer_credentials=lambda_role.arn,
    type="TOKEN")

# Create an API Gateway REST API
api = aws.apigateway.RestApi("api",
    description="API Gateway with Custom Authorizer",
    tags={
        "Name": "ApiGatewayWithCustomAuthorizer",
    })

# Define a resource within the API
resource = aws.apigateway.Resource("apiResource",
    rest_api=api.id,
    parent_id=api.root_resource_id,
    path_part="example")

# Define a GET method for the example resource that uses the authorizer
get_method = aws.apigateway.Method("getMethod",
    rest_api=api.id,
    resource_id=resource.id,
    http_method="GET",
    authorization="CUSTOM",
    authorizer_id=authorizer.id)

# Deploy the API
deployment = aws.apigateway.Deployment("apiDeployment",
    rest_api=api.id,
    # Ensuring a new deployment is created when the API definition changes
    triggers={
        "deployment": pulumi.Output.all(resource.id, get_method.http_method).apply(
            lambda args: str(hash(f"{args[0]}::{args[1]}")))
    },
    # Defined as 'Stage' for easy access
    stage_name="stage")

# Export the invocation URL of the API
pulumi.export("invoke_url", deployment.invoke_url)
```

In this program, we define the necessary AWS resources with Pulumi's Python API. Specifically:

- `aws.iam.Role` is used to create an IAM role that our Lambda function can assume. This role has the basic execution policy attached to it, which allows our function to log to CloudWatch and execute.

- `aws.lambda_.Function` is used to create the Lambda function that serves as the custom authorizer. It's assumed that we have a Lambda deployment package available at `./lambda_authorizer.zip`, and within it, a handler `authorizer.handler` written in Python 3.8.

- `aws.apigateway.Authorizer` is defined to create an API Gateway custom authorizer. It references our Lambda function and specifies the type of authorization as `TOKEN`, which means our Lambda function is expected to receive an identity token in the `Authorization` header.

- `aws.apigateway.RestApi`, `aws.apigateway.Resource`, and `aws.apigateway.Method` are used to define the REST API's structure and integrate it with our custom authorizer.

- `aws.apigateway.Deployment` deploys our API so that it can be invoked through a public URL.

The exported `invoke_url` gives you the public endpoint that you can hit to invoke your REST API.

Remember that this is only the infrastructure; the code for handling the authorization logic within the Lambda function (`lambda_authorizer.zip`) is not shown here. You would need to ensure your Lambda function is correctly set up to validate incoming tokens and return the appropriate IAM policies.