HTTP API Authorizer

[nabware]

Are there any examples of how to implement an authorizer function with simple response format 2.0?

I keep receiving "Internal Server Error". I've given API gateway permission and I've tried responding with Response<Body> and Value. My API Gateway is behind a CloudFront distribution.

use lambda_http::{run, service_fn, Body, Error, Request, Response};
use serde_json::Value;

/// This is the main body for the function.
/// Write your code inside it.
/// There are some code example in the following URLs:
/// - https://github.com/awslabs/aws-lambda-rust-runtime/tree/main/examples
async fn function_handler(event: Request) -> Result<Response<Body>, Error> {
/// async fn function_handler(event: Request) -> Result<Value, Error> {

    let simple_response = serde_json::json!({
        "isAuthorized": true,
    }).to_string();

    // Ok(simple_response)

    // Return something that implements IntoResponse.
    // It will be serialized to the right response event automatically by the runtime
    let resp = Response::builder()
        .status(200)
        .header("content-type", "application/json")
        .body(simple_response.into())
        .map_err(Box::new)?;
    Ok(resp)
}

#[tokio::main]
async fn main() -> Result<(), Error> {
    tracing_subscriber::fmt()
        .with_max_level(tracing::Level::INFO)
        // disable printing the name of the module in every log line.
        .with_target(false)
        // disabling time is handy because CloudWatch will add the ingestion time.
        .without_time()
        .init();

    run(service_fn(function_handler)).await
}

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:*:function:*",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-east-1:*:*/*/*"
        }
      }
    }
  ]
}

[calavera]

I think the problem is that you're trying to use the lambda_http wrapper to implement the authorizer. Your lambda will receive an Authorizer event, which is not an HTTP event.

You'll need something like the basic lambda example, but receiving structures deserialized from the authorizer payload:

https://github.com/awslabs/aws-lambda-rust-runtime/tree/main/examples/basic-lambda

You might find the right structure in the lambda_events repo, but I'd keep it simple to start and just use serde_json::Value. I have not tested the code below, but I'd do something like that:

use lambda_runtime::{run, service_fn, Error, LambdaEvent};
use serde_json::Value;

async fn function_handler(event: LambaEvent<Value>) -> Result<Value, Error> {
    let simple_response = serde_json::json!({
        "isAuthorized": true,
    });

  Ok(simple_response)
}

#[tokio::main]
async fn main() -> Result<(), Error> {
    tracing_subscriber::fmt()
        .with_max_level(tracing::Level::INFO)
        // disable printing the name of the module in every log line.
        .with_target(false)
        // disabling time is handy because CloudWatch will add the ingestion time.
        .without_time()
        .init();

    run(service_fn(function_handler)).await
}

[nabware]

Unfortunately this didn't solve it for me. I'm able to get a NodeJS authorizer to work with my current setup so I don't think its a configuration issue. The authorizer function isn't logging in CloudWatch so the issue is happening before the handler can execute.

I tried using ApiGatewayCustomAuthorizerRequest and ApiGatewayV2CustomAuthorizerSimpleResponse. I wanted to try ApiGatewayV2CustomAuthorizerV2Request but it doesn't seem to exist in aws_lambda_events = "0.6.3".

I also tried simplifying the main function:

#[tokio::main]
async fn main() -> Result<(), Error> {
    let func = service_fn(function_handler);
    lambda_runtime::run(func).await?;
    Ok(())
}

[nabware]

Solved my issue. In the API Gateway console you cannot have a value in the IAM role arn for the authorizer if you have the console auto generate invoke permissions. Even though the auto generate button hides the input box, any previously set arn value seems to override. I should really just create a role in my SAM template so I don't have to touch the console.

Thanks @calavera for your input here and your contributions to this library.

[calavera]

Great news @nabware ! Btw, I just released a new version of aws-lambda-events that includes the event that you were looking for:

https://docs.rs/aws_lambda_events/latest/aws_lambda_events/apigw/struct.ApiGatewayV2CustomAuthorizerV2Request.html

[nabware]

Thanks for the quick release. I tried using ApiGatewayV2CustomAuthorizerV2Request but kept receiving ERROR Error('missing field "cookies", line: 1, column: 1343). Will continue with raw LambdaEvent<Value> and lambda_runtime. Also need to do the same for all my functions behind an authorizer because I need access to requestContext for passing values from authorizer.

[nabware]

...Also need to do the same for all my functions behind an authorizer because I need access to requestContext for passing values from authorizer.

Figured out how to access requestContext using RequestExt. I thought RequestExt replaced Request but it just extends it as the name suggests. I'll try fumbling with lambda_http in the authorizer with my new understanding.

use lambda_http::{run, service_fn, Body, Error, Response, Request, RequestExt, request::RequestContext::ApiGatewayV2};

async fn function_handler(event: Request) -> Result<Response<Body>, Error> {

let value = match event.request_context() {
    ApiGatewayV2(request_context) => request_context.authorizer.unwrap().lambda.get("key").unwrap().as_str().unwrap().to_owned(),
};
...