README
¶
AWS APIGatewayv2 Authorizers
Table of Contents
Introduction
API Gateway supports multiple mechanisms for controlling and managing access to your HTTP API. They are mainly classified into Lambda Authorizers, JWT authorizers, and standard AWS IAM roles and policies. More information is available at Controlling and managing access to an HTTP API.
HTTP APIs
Access control for HTTP APIs is managed by restricting which routes can be invoked via.
Authorizers and scopes can either be applied to the API, or specifically for each route.
Default Authorization
When using default authorization, all routes of the API will inherit the configuration.
In the example below, all routes will require the manage:books scope present in order to invoke the integration.
import "github.com/aws/aws-cdk-go/awscdk"
issuer := "https://test.us.auth0.com"
authorizer := awscdk.NewHttpJwtAuthorizer(jsii.String("DefaultAuthorizer"), issuer, &HttpJwtAuthorizerProps{
JwtAudience: []*string{
jsii.String("3131231"),
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"), &HttpApiProps{
DefaultAuthorizer: authorizer,
DefaultAuthorizationScopes: []*string{
jsii.String("manage:books"),
},
})
Route Authorization
Authorization can also be configured for each Route. When a route authorization is configured, it takes precedence over default authorization.
The example below showcases default authorization, along with route authorization. It also shows how to remove authorization entirely for a route.
GET /booksandGET /books/{id}use the default authorizer settings on the apiPOST /bookswill require the['write:books']scopePOST /loginremoves the default authorizer (unauthenticated route)
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
issuer := "https://test.us.auth0.com"
authorizer := awscdk.NewHttpJwtAuthorizer(jsii.String("DefaultAuthorizer"), issuer, &HttpJwtAuthorizerProps{
JwtAudience: []*string{
jsii.String("3131231"),
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"), &HttpApiProps{
DefaultAuthorizer: authorizer,
DefaultAuthorizationScopes: []*string{
jsii.String("read:books"),
},
})
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Methods: []HttpMethod{
apigwv2.HttpMethod_GET,
},
})
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIdIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books/{id}"),
Methods: []HttpMethod{
apigwv2.HttpMethod_GET,
},
})
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Methods: []HttpMethod{
apigwv2.HttpMethod_POST,
},
AuthorizationScopes: []*string{
jsii.String("write:books"),
},
})
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("LoginIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/login"),
Methods: []HttpMethod{
apigwv2.HttpMethod_POST,
},
Authorizer: apigwv2.NewHttpNoneAuthorizer(),
})
JWT Authorizers
JWT authorizers allow the use of JSON Web Tokens (JWTs) as part of OpenID Connect and OAuth 2.0 frameworks to allow and restrict clients from accessing HTTP APIs.
When configured, API Gateway validates the JWT submitted by the client, and allows or denies access based on its content.
The location of the token is defined by the identitySource which defaults to the HTTP Authorization header. However it also
supports a number of other options.
It then decodes the JWT and validates the signature and claims, against the options defined in the authorizer and route (scopes).
For more information check the JWT Authorizer documentation.
Clients that fail authorization are presented with either 2 responses:
401 - Unauthorized- When the JWT validation fails403 - Forbidden- When the JWT validation is successful but the required scopes are not met
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
issuer := "https://test.us.auth0.com"
authorizer := awscdk.NewHttpJwtAuthorizer(jsii.String("BooksAuthorizer"), issuer, &HttpJwtAuthorizerProps{
JwtAudience: []*string{
jsii.String("3131231"),
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
User Pool Authorizer
User Pool Authorizer is a type of JWT Authorizer that uses a Cognito user pool and app client to control who can access your API. After a successful authorization from the app client, the generated access token will be used as the JWT.
Clients accessing an API that uses a user pool authorizer must first sign in to a user pool and obtain an identity or access token.
They must then use this token in the specified identitySource for the API call. More information is available at using Amazon Cognito user
pools as authorizer.
import cognito "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
authorizer := awscdk.NewHttpUserPoolAuthorizer(jsii.String("BooksAuthorizer"), userPool)
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
Lambda Authorizers
Lambda authorizers use a Lambda function to control access to your HTTP API. When a client calls your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.
Lambda authorizers depending on their response, fall into either two types - Simple or IAM. You can learn about differences here.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
authorizer := awscdk.NewHttpLambdaAuthorizer(jsii.String("BooksAuthorizer"), authHandler, &HttpLambdaAuthorizerProps{
ResponseTypes: []HttpLambdaResponseType{
awscdk.HttpLambdaResponseType_SIMPLE,
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
IAM Authorizers
API Gateway supports IAM via the included HttpIamAuthorizer and grant syntax:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var principal AnyPrincipal
authorizer := awscdk.NewHttpIamAuthorizer()
httpApi := apigwv2.NewHttpApi(this, jsii.String("HttpApi"), &HttpApiProps{
DefaultAuthorizer: authorizer,
})
routes := httpApi.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books/{book}"),
})
routes[0].GrantInvoke(principal)
WebSocket APIs
You can set an authorizer to your WebSocket API's $connect route to control access to your API.
Lambda Authorizer
Lambda authorizers use a Lambda function to control access to your WebSocket API. When a client connects to your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
// This function handles your WebSocket requests
var handler Function
authorizer := awscdk.NewWebSocketLambdaAuthorizer(jsii.String("Authorizer"), authHandler)
integration := awscdk.NewWebSocketLambdaIntegration(jsii.String("Integration"), handler)
apigwv2.NewWebSocketApi(this, jsii.String("WebSocketApi"), &WebSocketApiProps{
ConnectRouteOptions: &WebSocketRouteOptions{
Integration: *Integration,
Authorizer: *Authorizer,
},
})
IAM Authorizer
IAM authorizers can be used to allow identity-based access to your WebSocket API.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your connect route
var connectHandler Function
webSocketApi := apigwv2.NewWebSocketApi(this, jsii.String("WebSocketApi"))
webSocketApi.AddRoute(jsii.String("$connect"), &WebSocketRouteOptions{
Integration: awscdk.NewWebSocketLambdaIntegration(jsii.String("Integration"), connectHandler),
Authorizer: awscdk.NewWebSocketIamAuthorizer(),
})
// Create an IAM user (identity)
user := iam.NewUser(this, jsii.String("User"))
webSocketArn := awscdk.stack_Of(this).FormatArn(&ArnComponents{
Service: jsii.String("execute-api"),
Resource: webSocketApi.ApiId,
})
// Grant access to the IAM user
user.AttachInlinePolicy(iam.NewPolicy(this, jsii.String("AllowInvoke"), &PolicyProps{
Statements: []PolicyStatement{
iam.NewPolicyStatement(&PolicyStatementProps{
Actions: []*string{
jsii.String("execute-api:Invoke"),
},
Effect: iam.Effect_ALLOW,
Resources: []*string{
webSocketArn,
},
}),
},
}))
Import Issues
jsiirc.json file is missing during the stablization process of this module, which caused import issues for DotNet and Java users who attempt to use this module. Unfortunately, to guarantee backward compatibility, we cannot simply correct the namespace for DotNet or package for Java. The following outlines the workaround.
DotNet Namespace
Instead of the conventional namespace Amazon.CDK.AWS.Apigatewayv2.Authorizers, you would need to use the following namespace:
using Amazon.CDK.AwsApigatewayv2Authorizers;;
Java Package
Instead of conventional package import software.amazon.awscdk.services.apigatewayv2_authorizers.*, you would need to use the following package:
import software.amazon.awscdk.aws_apigatewayv2_authorizers.*;
// If you want to import a specific construct
import software.amazon.awscdk.aws_apigatewayv2_authorizers.WebSocketIamAuthorizer;
Export HTTP Authorizer Id
You can retrieve the authorizer's id once it has been bound to a route to export the value.
HttpAuthorizer.fromHttpAuthorizerAttributes
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
authorizer := awscdk.NewHttpLambdaAuthorizer(jsii.String("BooksAuthorizer"), authHandler, &HttpLambdaAuthorizerProps{
ResponseTypes: []HttpLambdaResponseType{
awscdk.HttpLambdaResponseType_SIMPLE,
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
// You can only access authorizerId after it's been bound to a route
// In this example we expect use CfnOutput
// You can only access authorizerId after it's been bound to a route
// In this example we expect use CfnOutput
awscdk.NewCfnOutput(this, jsii.String("authorizerId"), &CfnOutputProps{
Value: authorizer.authorizerId,
})
awscdk.NewCfnOutput(this, jsii.String("authorizerType"), &CfnOutputProps{
Value: authorizer.AuthorizationType,
})
Import an existing HTTP Authorizer
If you want to import av existing HTTP Authorizer you simply provide the authorizer id and authorizer type used when the authorizer was created.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
authorizerId := awscdk.Fn_ImportValue(jsii.String("authorizerId"))
authorizerType := awscdk.Fn_ImportValue(jsii.String("authorizerType"))
authorizer := awscdk.HttpAuthorizer_FromHttpAuthorizerAttributes(this, jsii.String("HttpAuthorizer"), &HttpAuthorizerAttributes{
AuthorizerId: jsii.String(AuthorizerId),
AuthorizerType: jsii.String(AuthorizerType),
})
Documentation
¶
Index ¶
- func NewHttpIamAuthorizer_Override(h HttpIamAuthorizer)
- func NewHttpJwtAuthorizer_Override(h HttpJwtAuthorizer, id *string, jwtIssuer *string, ...)
- func NewHttpLambdaAuthorizer_Override(h HttpLambdaAuthorizer, id *string, handler awslambda.IFunction, ...)
- func NewHttpUserPoolAuthorizer_Override(h HttpUserPoolAuthorizer, id *string, pool awscognito.IUserPool, ...)
- func NewWebSocketIamAuthorizer_Override(w WebSocketIamAuthorizer)
- func NewWebSocketLambdaAuthorizer_Override(w WebSocketLambdaAuthorizer, id *string, handler awslambda.IFunction, ...)
- type HttpIamAuthorizer
- type HttpJwtAuthorizer
- type HttpJwtAuthorizerProps
- type HttpLambdaAuthorizer
- type HttpLambdaAuthorizerProps
- type HttpLambdaResponseType
- type HttpUserPoolAuthorizer
- type HttpUserPoolAuthorizerProps
- type WebSocketIamAuthorizer
- type WebSocketLambdaAuthorizer
- type WebSocketLambdaAuthorizerProps
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewHttpIamAuthorizer_Override ¶
func NewHttpIamAuthorizer_Override(h HttpIamAuthorizer)
func NewHttpJwtAuthorizer_Override ¶
func NewHttpJwtAuthorizer_Override(h HttpJwtAuthorizer, id *string, jwtIssuer *string, props *HttpJwtAuthorizerProps)
Initialize a JWT authorizer to be bound with HTTP route.
func NewHttpLambdaAuthorizer_Override ¶
func NewHttpLambdaAuthorizer_Override(h HttpLambdaAuthorizer, id *string, handler awslambda.IFunction, props *HttpLambdaAuthorizerProps)
Initialize a lambda authorizer to be bound with HTTP route.
func NewHttpUserPoolAuthorizer_Override ¶
func NewHttpUserPoolAuthorizer_Override(h HttpUserPoolAuthorizer, id *string, pool awscognito.IUserPool, props *HttpUserPoolAuthorizerProps)
Initialize a Cognito user pool authorizer to be bound with HTTP route.
func NewWebSocketIamAuthorizer_Override ¶
func NewWebSocketIamAuthorizer_Override(w WebSocketIamAuthorizer)
func NewWebSocketLambdaAuthorizer_Override ¶
func NewWebSocketLambdaAuthorizer_Override(w WebSocketLambdaAuthorizer, id *string, handler awslambda.IFunction, props *WebSocketLambdaAuthorizerProps)
Types ¶
type HttpIamAuthorizer ¶
type HttpIamAuthorizer interface {
awsapigatewayv2.IHttpRouteAuthorizer
// The authorizationType used for IAM Authorizer.
AuthorizationType() awsapigatewayv2.HttpAuthorizerType
// Bind this authorizer to a specified Http route.
Bind(options *awsapigatewayv2.HttpRouteAuthorizerBindOptions) *awsapigatewayv2.HttpRouteAuthorizerConfig
}
Authorize HTTP API Routes with IAM.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var principal AnyPrincipal
authorizer := awscdk.NewHttpIamAuthorizer()
httpApi := apigwv2.NewHttpApi(this, jsii.String("HttpApi"), &HttpApiProps{
DefaultAuthorizer: authorizer,
})
routes := httpApi.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books/{book}"),
})
routes[0].GrantInvoke(principal)
func NewHttpIamAuthorizer ¶
func NewHttpIamAuthorizer() HttpIamAuthorizer
type HttpJwtAuthorizer ¶
type HttpJwtAuthorizer interface {
awsapigatewayv2.IHttpRouteAuthorizer
// The authorizationType used for JWT Authorizer.
AuthorizationType() *string
// Return the id of the authorizer if it's been constructed.
AuthorizerId() *string
// Bind this authorizer to a specified Http route.
Bind(options *awsapigatewayv2.HttpRouteAuthorizerBindOptions) *awsapigatewayv2.HttpRouteAuthorizerConfig
}
Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
issuer := "https://test.us.auth0.com"
authorizer := awscdk.NewHttpJwtAuthorizer(jsii.String("BooksAuthorizer"), issuer, &HttpJwtAuthorizerProps{
JwtAudience: []*string{
jsii.String("3131231"),
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
func NewHttpJwtAuthorizer ¶
func NewHttpJwtAuthorizer(id *string, jwtIssuer *string, props *HttpJwtAuthorizerProps) HttpJwtAuthorizer
Initialize a JWT authorizer to be bound with HTTP route.
type HttpJwtAuthorizerProps ¶
type HttpJwtAuthorizerProps struct {
// A list of the intended recipients of the JWT.
//
// A valid JWT must provide an aud that matches at least one entry in this list.
JwtAudience *[]*string `field:"required" json:"jwtAudience" yaml:"jwtAudience"`
// The name of the authorizer.
// Default: - same value as `id` passed in the constructor.
//
AuthorizerName *string `field:"optional" json:"authorizerName" yaml:"authorizerName"`
// The identity source for which authorization is requested.
// Default: ['$request.header.Authorization']
//
IdentitySource *[]*string `field:"optional" json:"identitySource" yaml:"identitySource"`
}
Properties to initialize HttpJwtAuthorizer.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
issuer := "https://test.us.auth0.com"
authorizer := awscdk.NewHttpJwtAuthorizer(jsii.String("BooksAuthorizer"), issuer, &HttpJwtAuthorizerProps{
JwtAudience: []*string{
jsii.String("3131231"),
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
type HttpLambdaAuthorizer ¶
type HttpLambdaAuthorizer interface {
awsapigatewayv2.IHttpRouteAuthorizer
// The authorizationType used for Lambda Authorizer.
AuthorizationType() *string
// Return the id of the authorizer if it's been constructed.
AuthorizerId() *string
// Bind this authorizer to a specified Http route.
Bind(options *awsapigatewayv2.HttpRouteAuthorizerBindOptions) *awsapigatewayv2.HttpRouteAuthorizerConfig
}
Authorize Http Api routes via a lambda function.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
authorizer := awscdk.NewHttpLambdaAuthorizer(jsii.String("BooksAuthorizer"), authHandler, &HttpLambdaAuthorizerProps{
ResponseTypes: []HttpLambdaResponseType{
awscdk.HttpLambdaResponseType_SIMPLE,
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
func NewHttpLambdaAuthorizer ¶
func NewHttpLambdaAuthorizer(id *string, handler awslambda.IFunction, props *HttpLambdaAuthorizerProps) HttpLambdaAuthorizer
Initialize a lambda authorizer to be bound with HTTP route.
type HttpLambdaAuthorizerProps ¶
type HttpLambdaAuthorizerProps struct {
// Friendly authorizer name.
// Default: - same value as `id` passed in the constructor.
//
AuthorizerName *string `field:"optional" json:"authorizerName" yaml:"authorizerName"`
// The identity source for which authorization is requested.
// Default: ['$request.header.Authorization']
//
IdentitySource *[]*string `field:"optional" json:"identitySource" yaml:"identitySource"`
// The types of responses the lambda can return.
//
// If HttpLambdaResponseType.SIMPLE is included then
// response format 2.0 will be used.
// See: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.payload-format-response
//
// Default: [HttpLambdaResponseType.IAM]
//
ResponseTypes *[]HttpLambdaResponseType `field:"optional" json:"responseTypes" yaml:"responseTypes"`
// How long APIGateway should cache the results.
//
// Max 1 hour.
// Disable caching by setting this to `Duration.seconds(0)`.
// Default: Duration.minutes(5)
//
ResultsCacheTtl awscdk.Duration `field:"optional" json:"resultsCacheTtl" yaml:"resultsCacheTtl"`
}
Properties to initialize HttpTokenAuthorizer.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
authorizer := awscdk.NewHttpLambdaAuthorizer(jsii.String("BooksAuthorizer"), authHandler, &HttpLambdaAuthorizerProps{
ResponseTypes: []HttpLambdaResponseType{
awscdk.HttpLambdaResponseType_SIMPLE,
},
})
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
type HttpLambdaResponseType ¶
type HttpLambdaResponseType string
Specifies the type responses the lambda returns.
const ( // Returns simple boolean response. HttpLambdaResponseType_SIMPLE HttpLambdaResponseType = "SIMPLE" // Returns an IAM Policy. HttpLambdaResponseType_IAM HttpLambdaResponseType = "IAM" )
type HttpUserPoolAuthorizer ¶
type HttpUserPoolAuthorizer interface {
awsapigatewayv2.IHttpRouteAuthorizer
// The authorizationType used for UserPool Authorizer.
AuthorizationType() *string
// Return the id of the authorizer if it's been constructed.
AuthorizerId() *string
// Bind this authorizer to a specified Http route.
Bind(options *awsapigatewayv2.HttpRouteAuthorizerBindOptions) *awsapigatewayv2.HttpRouteAuthorizerConfig
}
Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
Example:
import cognito "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
authorizer := awscdk.NewHttpUserPoolAuthorizer(jsii.String("BooksAuthorizer"), userPool)
api := apigwv2.NewHttpApi(this, jsii.String("HttpApi"))
api.AddRoutes(&AddRoutesOptions{
Integration: awscdk.NewHttpUrlIntegration(jsii.String("BooksIntegration"), jsii.String("https://get-books-proxy.example.com")),
Path: jsii.String("/books"),
Authorizer: Authorizer,
})
func NewHttpUserPoolAuthorizer ¶
func NewHttpUserPoolAuthorizer(id *string, pool awscognito.IUserPool, props *HttpUserPoolAuthorizerProps) HttpUserPoolAuthorizer
Initialize a Cognito user pool authorizer to be bound with HTTP route.
type HttpUserPoolAuthorizerProps ¶
type HttpUserPoolAuthorizerProps struct {
// Friendly name of the authorizer.
// Default: - same value as `id` passed in the constructor.
//
AuthorizerName *string `field:"optional" json:"authorizerName" yaml:"authorizerName"`
// The identity source for which authorization is requested.
// Default: ['$request.header.Authorization']
//
IdentitySource *[]*string `field:"optional" json:"identitySource" yaml:"identitySource"`
// The user pool clients that should be used to authorize requests with the user pool.
// Default: - a new client will be created for the given user pool.
//
UserPoolClients *[]awscognito.IUserPoolClient `field:"optional" json:"userPoolClients" yaml:"userPoolClients"`
// The AWS region in which the user pool is present.
// Default: - same region as the Route the authorizer is attached to.
//
UserPoolRegion *string `field:"optional" json:"userPoolRegion" yaml:"userPoolRegion"`
}
Properties to initialize HttpUserPoolAuthorizer.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var userPoolClient UserPoolClient
httpUserPoolAuthorizerProps := &HttpUserPoolAuthorizerProps{
AuthorizerName: jsii.String("authorizerName"),
IdentitySource: []*string{
jsii.String("identitySource"),
},
UserPoolClients: []IUserPoolClient{
userPoolClient,
},
UserPoolRegion: jsii.String("userPoolRegion"),
}
type WebSocketIamAuthorizer ¶
type WebSocketIamAuthorizer interface {
awsapigatewayv2.IWebSocketRouteAuthorizer
// Bind this authorizer to a specified WebSocket route.
Bind(options *awsapigatewayv2.WebSocketRouteAuthorizerBindOptions) *awsapigatewayv2.WebSocketRouteAuthorizerConfig
}
Authorize WebSocket API Routes with IAM.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your connect route
var connectHandler Function
webSocketApi := apigwv2.NewWebSocketApi(this, jsii.String("WebSocketApi"))
webSocketApi.AddRoute(jsii.String("$connect"), &WebSocketRouteOptions{
Integration: awscdk.NewWebSocketLambdaIntegration(jsii.String("Integration"), connectHandler),
Authorizer: awscdk.NewWebSocketIamAuthorizer(),
})
// Create an IAM user (identity)
user := iam.NewUser(this, jsii.String("User"))
webSocketArn := awscdk.stack_Of(this).FormatArn(&ArnComponents{
Service: jsii.String("execute-api"),
Resource: webSocketApi.ApiId,
})
// Grant access to the IAM user
user.AttachInlinePolicy(iam.NewPolicy(this, jsii.String("AllowInvoke"), &PolicyProps{
Statements: []PolicyStatement{
iam.NewPolicyStatement(&PolicyStatementProps{
Actions: []*string{
jsii.String("execute-api:Invoke"),
},
Effect: iam.Effect_ALLOW,
Resources: []*string{
webSocketArn,
},
}),
},
}))
func NewWebSocketIamAuthorizer ¶
func NewWebSocketIamAuthorizer() WebSocketIamAuthorizer
type WebSocketLambdaAuthorizer ¶
type WebSocketLambdaAuthorizer interface {
awsapigatewayv2.IWebSocketRouteAuthorizer
// Bind this authorizer to a specified WebSocket route.
Bind(options *awsapigatewayv2.WebSocketRouteAuthorizerBindOptions) *awsapigatewayv2.WebSocketRouteAuthorizerConfig
}
Authorize WebSocket Api routes via a lambda function.
Example:
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
// This function handles your auth logic
var authHandler Function
// This function handles your WebSocket requests
var handler Function
authorizer := awscdk.NewWebSocketLambdaAuthorizer(jsii.String("Authorizer"), authHandler)
integration := awscdk.NewWebSocketLambdaIntegration(jsii.String("Integration"), handler)
apigwv2.NewWebSocketApi(this, jsii.String("WebSocketApi"), &WebSocketApiProps{
ConnectRouteOptions: &WebSocketRouteOptions{
Integration: *Integration,
Authorizer: *Authorizer,
},
})
func NewWebSocketLambdaAuthorizer ¶
func NewWebSocketLambdaAuthorizer(id *string, handler awslambda.IFunction, props *WebSocketLambdaAuthorizerProps) WebSocketLambdaAuthorizer
type WebSocketLambdaAuthorizerProps ¶
type WebSocketLambdaAuthorizerProps struct {
// The name of the authorizer.
// Default: - same value as `id` passed in the constructor.
//
AuthorizerName *string `field:"optional" json:"authorizerName" yaml:"authorizerName"`
// The identity source for which authorization is requested.
//
// Request parameter match `'route.request.querystring|header.[a-zA-z0-9._-]+'`.
// Staged variable match `'stageVariables.[a-zA-Z0-9._-]+'`.
// Context parameter match `'context.[a-zA-Z0-9._-]+'`.
// Default: ['route.request.header.Authorization']
//
IdentitySource *[]*string `field:"optional" json:"identitySource" yaml:"identitySource"`
}
Properties to initialize WebSocketTokenAuthorizer.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
webSocketLambdaAuthorizerProps := &WebSocketLambdaAuthorizerProps{
AuthorizerName: jsii.String("authorizerName"),
IdentitySource: []*string{
jsii.String("identitySource"),
},
}
Source Files
¶
- HttpIamAuthorizer.go
- HttpIamAuthorizer__checks.go
- HttpJwtAuthorizer.go
- HttpJwtAuthorizerProps.go
- HttpJwtAuthorizer__checks.go
- HttpLambdaAuthorizer.go
- HttpLambdaAuthorizerProps.go
- HttpLambdaAuthorizer__checks.go
- HttpLambdaResponseType.go
- HttpUserPoolAuthorizer.go
- HttpUserPoolAuthorizerProps.go
- HttpUserPoolAuthorizer__checks.go
- WebSocketIamAuthorizer.go
- WebSocketIamAuthorizer__checks.go
- WebSocketLambdaAuthorizer.go
- WebSocketLambdaAuthorizerProps.go
- WebSocketLambdaAuthorizer__checks.go
- main.go
Directories
Click to show internal directories.
Click to hide internal directories.