Welcome to Pulumi Registry, your window into the cloud. Read the announcement.

AWS Classic

v4.25.0 published on Friday, Oct 15, 2021 by Pulumi

Authorizer

Provides an API Gateway Authorizer.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var demoRestApi = new Aws.ApiGateway.RestApi("demoRestApi", new Aws.ApiGateway.RestApiArgs
        {
        });
        var invocationRole = new Aws.Iam.Role("invocationRole", new Aws.Iam.RoleArgs
        {
            Path = "/",
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""apigateway.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}
",
        });
        var lambda = new Aws.Iam.Role("lambda", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""lambda.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}
",
        });
        var authorizer = new Aws.Lambda.Function("authorizer", new Aws.Lambda.FunctionArgs
        {
            Code = new FileArchive("lambda-function.zip"),
            Role = lambda.Arn,
            Handler = "exports.example",
        });
        var demoAuthorizer = new Aws.ApiGateway.Authorizer("demoAuthorizer", new Aws.ApiGateway.AuthorizerArgs
        {
            RestApi = demoRestApi.Id,
            AuthorizerUri = authorizer.InvokeArn,
            AuthorizerCredentials = invocationRole.Arn,
        });
        var invocationPolicy = new Aws.Iam.RolePolicy("invocationPolicy", new Aws.Iam.RolePolicyArgs
        {
            Role = invocationRole.Id,
            Policy = authorizer.Arn.Apply(arn => @$"{{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {{
      ""Action"": ""lambda:InvokeFunction"",
      ""Effect"": ""Allow"",
      ""Resource"": ""{arn}""
    }}
  ]
}}
"),
        });
    }

}

Coming soon!

import pulumi
import pulumi_aws as aws

demo_rest_api = aws.apigateway.RestApi("demoRestApi")
invocation_role = aws.iam.Role("invocationRole",
    path="/",
    assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
""")
lambda_ = aws.iam.Role("lambda", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
""")
authorizer = aws.lambda_.Function("authorizer",
    code=pulumi.FileArchive("lambda-function.zip"),
    role=lambda_.arn,
    handler="exports.example")
demo_authorizer = aws.apigateway.Authorizer("demoAuthorizer",
    rest_api=demo_rest_api.id,
    authorizer_uri=authorizer.invoke_arn,
    authorizer_credentials=invocation_role.arn)
invocation_policy = aws.iam.RolePolicy("invocationPolicy",
    role=invocation_role.id,
    policy=authorizer.arn.apply(lambda arn: f"""{{
  "Version": "2012-10-17",
  "Statement": [
    {{
      "Action": "lambda:InvokeFunction",
      "Effect": "Allow",
      "Resource": "{arn}"
    }}
  ]
}}
"""))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const demoRestApi = new aws.apigateway.RestApi("demoRestApi", {});
const invocationRole = new aws.iam.Role("invocationRole", {
    path: "/",
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const lambda = new aws.iam.Role("lambda", {assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`});
const authorizer = new aws.lambda.Function("authorizer", {
    code: new pulumi.asset.FileArchive("lambda-function.zip"),
    role: lambda.arn,
    handler: "exports.example",
});
const demoAuthorizer = new aws.apigateway.Authorizer("demoAuthorizer", {
    restApi: demoRestApi.id,
    authorizerUri: authorizer.invokeArn,
    authorizerCredentials: invocationRole.arn,
});
const invocationPolicy = new aws.iam.RolePolicy("invocationPolicy", {
    role: invocationRole.id,
    policy: pulumi.interpolate`{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "lambda:InvokeFunction",
      "Effect": "Allow",
      "Resource": "${authorizer.arn}"
    }
  ]
}
`,
});

Create a Authorizer Resource

new Authorizer(name: string, args: AuthorizerArgs, opts?: CustomResourceOptions);
@overload
def Authorizer(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               authorizer_credentials: Optional[str] = None,
               authorizer_result_ttl_in_seconds: Optional[int] = None,
               authorizer_uri: Optional[str] = None,
               identity_source: Optional[str] = None,
               identity_validation_expression: Optional[str] = None,
               name: Optional[str] = None,
               provider_arns: Optional[Sequence[str]] = None,
               rest_api: Optional[str] = None,
               type: Optional[str] = None)
@overload
def Authorizer(resource_name: str,
               args: AuthorizerArgs,
               opts: Optional[ResourceOptions] = None)
func NewAuthorizer(ctx *Context, name string, args AuthorizerArgs, opts ...ResourceOption) (*Authorizer, error)
public Authorizer(string name, AuthorizerArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args AuthorizerArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthorizerArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthorizerArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthorizerArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Authorizer Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Authorizer resource accepts the following input properties:

RestApi string | string
The ID of the associated REST API
AuthorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
AuthorizerResultTtlInSeconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
AuthorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
IdentitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
IdentityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
Name string
The name of the authorizer
ProviderArns List<string>
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
Type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
RestApi string | string
The ID of the associated REST API
AuthorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
AuthorizerResultTtlInSeconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
AuthorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
IdentitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
IdentityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
Name string
The name of the authorizer
ProviderArns []string
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
Type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
restApi string | RestApi
The ID of the associated REST API
authorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
authorizerResultTtlInSeconds number
The TTL of cached authorizer results in seconds. Defaults to 300.
authorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
identitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
identityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
name string
The name of the authorizer
providerArns string[]
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
rest_api str | str
The ID of the associated REST API
authorizer_credentials str
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
authorizer_result_ttl_in_seconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
authorizer_uri str
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
identity_source str
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
identity_validation_expression str
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
name str
The name of the authorizer
provider_arns Sequence[str]
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
type str
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.

Outputs

All input properties are implicitly available as output properties. Additionally, the Authorizer resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing Authorizer Resource

Get an existing Authorizer resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthorizerState, opts?: CustomResourceOptions): Authorizer
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        authorizer_credentials: Optional[str] = None,
        authorizer_result_ttl_in_seconds: Optional[int] = None,
        authorizer_uri: Optional[str] = None,
        identity_source: Optional[str] = None,
        identity_validation_expression: Optional[str] = None,
        name: Optional[str] = None,
        provider_arns: Optional[Sequence[str]] = None,
        rest_api: Optional[str] = None,
        type: Optional[str] = None) -> Authorizer
func GetAuthorizer(ctx *Context, name string, id IDInput, state *AuthorizerState, opts ...ResourceOption) (*Authorizer, error)
public static Authorizer Get(string name, Input<string> id, AuthorizerState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AuthorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
AuthorizerResultTtlInSeconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
AuthorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
IdentitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
IdentityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
Name string
The name of the authorizer
ProviderArns List<string>
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
RestApi string | string
The ID of the associated REST API
Type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
AuthorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
AuthorizerResultTtlInSeconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
AuthorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
IdentitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
IdentityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
Name string
The name of the authorizer
ProviderArns []string
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
RestApi string | string
The ID of the associated REST API
Type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
authorizerCredentials string
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
authorizerResultTtlInSeconds number
The TTL of cached authorizer results in seconds. Defaults to 300.
authorizerUri string
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
identitySource string
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
identityValidationExpression string
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
name string
The name of the authorizer
providerArns string[]
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
restApi string | RestApi
The ID of the associated REST API
type string
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
authorizer_credentials str
The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
authorizer_result_ttl_in_seconds int
The TTL of cached authorizer results in seconds. Defaults to 300.
authorizer_uri str
The authorizer’s Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api}, e.g. arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
identity_source str
The source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
identity_validation_expression str
A validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn’t match, the client receives a 401 Unauthorized response.
name str
The name of the authorizer
provider_arns Sequence[str]
A list of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
rest_api str | str
The ID of the associated REST API
type str
The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.

Import

AWS API Gateway Authorizer can be imported using the REST-API-ID/AUTHORIZER-ID, e.g.

 $ pulumi import aws:apigateway/authorizer:Authorizer authorizer 12345abcde/example

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.