Amazon web services API创新不会触发AWS API网关基于自定义请求的lambda授权程序
已经为我的AWS API网关创建了一个简单的基于请求的基本授权程序,如下文档() 在测试授权者时(使用虚拟设置验证授权头中是否有键“test”),授权者工作正常,但在直接从端点调用API时,根本不调用授权者,我得到API响应(由于没有传递头,应该阻止该响应) 具有无效密钥的授权人测试:正在获取预期值 具有有效密钥的授权人测试:预期达到200 从web直接调用API端点成功: API网关的我的资源策略仅限于特定IP范围:Amazon web services API创新不会触发AWS API网关基于自定义请求的lambda授权程序,amazon-web-services,aws-lambda,aws-api-gateway,lambda-authorizer,Amazon Web Services,Aws Lambda,Aws Api Gateway,Lambda Authorizer,已经为我的AWS API网关创建了一个简单的基于请求的基本授权程序,如下文档() 在测试授权者时(使用虚拟设置验证授权头中是否有键“test”),授权者工作正常,但在直接从端点调用API时,根本不调用授权者,我得到API响应(由于没有传递头,应该阻止该响应) 具有无效密钥的授权人测试:正在获取预期值 具有有效密钥的授权人测试:预期达到200 从web直接调用API端点成功: API网关的我的资源策略仅限于特定IP范围: { "Version": "20
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:111111111111:6mm9kw17uf/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "XXXXXXX"
}
}
}
]
}
授权人Lambda代码:
exports.handler = function(event, context, callback) {
console.log('Received event:', JSON.stringify(event, null, 2));
// Retrieve request parameters from the Lambda function input:
var headers = event.headers;
// Parse the input for the parameter values
var tmp = event.methodArn.split(':');
var apiGatewayArnTmp = tmp[5].split('/');
var awsAccountId = tmp[4];
var region = tmp[3];
var restApiId = apiGatewayArnTmp[0];
var stage = apiGatewayArnTmp[1];
var method = apiGatewayArnTmp[2];
var resource = '/'; // root resource
if (apiGatewayArnTmp[3]) {
resource += apiGatewayArnTmp[3];
}
// Perform authorization to return the Allow policy for correct parameters and
// the 'Unauthorized' error, otherwise.
var authResponse = {};
var condition = {};
condition.IpAddress = {};
if (headers.Authorization === "test") {
callback(null, generateAllow('me', event.methodArn));
} else {
callback("Unauthorized");
}
}
// Help function to generate an IAM policy
var generatePolicy = function(principalId, effect, resource) {
// Required output:
var authResponse = {};
authResponse.principalId = principalId;
if (effect && resource) {
var policyDocument = {};
policyDocument.Version = '2012-10-17';
policyDocument.Statement = [];
var statementOne = {};
statementOne.Action = 'execute-api:Invoke';
statementOne.Effect = effect;
statementOne.Resource = resource;
policyDocument.Statement[0] = statementOne;
authResponse.policyDocument = policyDocument;
}
return authResponse;
}
var generateAllow = function(principalId, resource) {
return generatePolicy(principalId, 'Allow', resource);
}
var generateDeny = function(principalId, resource) {
return generatePolicy(principalId, 'Deny', resource);
}
我已经尝试过的:
我尝试使用自己的API网关复制该问题,但我还没有发现lambda函数存在任何问题。它按预期工作 授权呼叫的示例:
curl -i -w "\n" --http1.1 -H 'Authorization: test' https://xxxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2020 11:22:30 GMT
Content-Type: application/json
Content-Length: 67
Connection: keep-alive
x-amzn-RequestId: 4213f276-737c-4481-bbac-3c4ecd767b6f
x-amz-apigw-id: ScPyeFInoAMFYKg=
X-Amzn-Trace-Id: Root=1-5f54c676-9e0c8bbe6093d8889f6b2035;Sampled=0
{
"statusCode": 200,
"message": "Hello from API Gateway!"
}
curl -i -w "\n" --http1.1 -H 'Authorization: invalid' https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Sep 2020 11:25:36 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 42a1d47c-aab5-4b72-b8eb-469fed383b26
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQPpFUwoAMFRdA=
{"message":"Unauthorized"}
未授权呼叫的示例:
curl -i -w "\n" --http1.1 -H 'Authorization: test' https://xxxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2020 11:22:30 GMT
Content-Type: application/json
Content-Length: 67
Connection: keep-alive
x-amzn-RequestId: 4213f276-737c-4481-bbac-3c4ecd767b6f
x-amz-apigw-id: ScPyeFInoAMFYKg=
X-Amzn-Trace-Id: Root=1-5f54c676-9e0c8bbe6093d8889f6b2035;Sampled=0
{
"statusCode": 200,
"message": "Hello from API Gateway!"
}
curl -i -w "\n" --http1.1 -H 'Authorization: invalid' https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Sep 2020 11:25:36 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 42a1d47c-aab5-4b72-b8eb-469fed383b26
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQPpFUwoAMFRdA=
{"message":"Unauthorized"}
未提供标题值的示例:
curl -i -w "\n" --http1.1 https://xxxx.execute-api.us-east-1.amazonaws.com/dev/helloworld
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Sep 2020 11:26:15 GMT
Content-Type: application/json
Content-Length: 26
Connection: keep-alive
x-amzn-RequestId: 982944f2-ac1d-4eee-8776-7bfa76314d2b
x-amzn-ErrorType: UnauthorizedException
x-amz-apigw-id: ScQVwGmpoAMFfSA=
{"message":"Unauthorized"}
>要考虑的事情:
嗨,Marcin很奇怪,因为我再次部署了舞台,等了很长时间,但它仍然不起作用。是否需要从API网关添加其他内容?因为出于某种原因,它没有被触发。我需要更新资源策略吗?@KumarVivek是否已将lambda函数指定为
helloworld
资源的GET方法的授权?仅仅创建授权人是不够的。您必须将其附加到您希望使用的每个方法和资源。@KumarVivek另外,在每次更改API后,不要忘记重新部署阶段。我想我忘了,让我试试。