How to configure the integration of Lambda with API Gateway Authorizer in Go
GoTo configure the integration of AWS Lambda with Amazon API Gateway Authorizer using Pulumi with the Go programming language, you would follow these steps:
- Define an AWS Lambda function.
- Create an API Gateway.
- Define an authorizer for the API Gateway that invokes the Lambda function.
- Connect the authorizer to specific API Gateway methods that require authorization.
Below, I'll provide a complete Pulumi program in Go that sets up this scenario. I'll explain each part as you read through it.
First, we will define a Lambda function. This function will be the authorizer that Amazon API Gateway will use to authorize API requests. The Lambda function takes an event containing the authorization token submitted by the client and returns an IAM policy document specifying the allowed actions.
In the code, you'll see how to create a Lambda function using the
aws.lambda.Function
resource. We'll also create an API Gateway endpoint and configure an authorizer of typeTOKEN
using theaws.apigateway.Authorizer
resource to use the Lambda function for authorization. Lastly, we'll define a method on an API resource that uses this authorizer.Here is the Pulumi program in Go:
package main import ( "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/apigateway" "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Create an AWS Lambda function that will act as the API Gateway Authorizer. authorizerLambda, err := lambda.NewFunction(ctx, "apiAuthorizerLambda", &lambda.FunctionArgs{ Handler: pulumi.String("authorizer.handler"), Role: pulumi.String("arn:aws:iam::123456789012:role/lambda_basic_execution"), Runtime: pulumi.String("nodejs12.x"), Code: pulumi.NewFileArchive("path/to/your/zip/file"), }) if err != nil { return err } // Create a REST API that the Lambda authorizer will protect. api, err := apigateway.NewRestApi(ctx, "api", &apigateway.RestApiArgs{ Name: pulumi.String("myapi"), }) if err != nil { return err } // Create an authorizer that uses the Lambda function. authorizer, err := apigateway.NewAuthorizer(ctx, "authorizer", &apigateway.AuthorizerArgs{ RestApi: api.ID(), Name: pulumi.String("lambdaAuthorizer"), Type: pulumi.String("TOKEN"), // Authorization type AuthorizerUri: authorizerLambda.InvokeArn, IdentitySource: pulumi.String("method.request.header.Authorization"), }) if err != nil { return err } // Create a dummy resource to illustrate how to associate an authorizer. resource, err := apigateway.NewResource(ctx, "exampleResource", &apigateway.ResourceArgs{ RestApi: api.ID(), ParentId: api.RootResourceId, PathPart: pulumi.String("myresource"), }) if err != nil { return err } // Create a GET method on the resource with the authorizer. _, err = apigateway.NewMethod(ctx, "getMethod", &apigateway.MethodArgs{ RestApi: api.ID(), ResourceId: resource.ID(), HttpMethod: pulumi.String("GET"), Authorization: pulumi.String("CUSTOM"), AuthorizerId: authorizer.ID(), }) if err != nil { return err } // Export the API endpoint for easy access. ctx.Export("apiEndpoint", pulumi.Sprintf("https://%s.execute-api.%s.amazonaws.com/prod/myresource", api.ID(), config.Require(ctx, "aws:region"))) return nil }) }
Let's break down what we did:
- Defined a Lambda function (
authorizerLambda
) that will act as an authorizer. - Created a REST API (
api
) using theaws.apigateway.RestApi
resource. - Defined an authorizer (
authorizer
) for the API that uses the previously defined Lambda function to authorize requests. - Created a dummy resource (
resource
) within the API to show where you would apply the authorizer. - Defined a method (
getMethod
) on the dummy resource with the custom authorizer associated with it. - Exported the API endpoint as a stack output for easy access after deployment.
Each resource in the code includes a link to its documentation. You can explore these links to understand the options available for each resource and how they might be tailored to suit your specific needs. You must replace
"path/to/your/zip/file"
with the actual path to the Lambda deployment package, and"arn:aws:iam::123456789012:role/lambda_basic_execution"
with the actual ARN of the IAM role that Lambda will assume.This code will create an infrastructure wherein certain routes on API Gateway are protected by a Lambda authorizer, providing your API with an additional layer of security.