Shared Lambda authorizer setup in Serverless Framework












1















I am trying to create a custom Lambda authorizer that will be shared between a few different services/serverless stacks. If I understand the documentation here https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway, that means that I need to create a shared authorizer resource in a “common resources” service/serverless stack, and then refer to that shared authorizer from my other services. First of all: Is my understanding correct?



If my understanding is correct, my next question becomes: How do I do this? The documentation doesn’t provide a clear example for lambda authorizers, so here’s how I tried to customize it:



functions:
authorizerFunc:
handler: authorizer/authorizer.handler
runtime: nodejs8.10

resources:
Resources:
authorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerResultTtlInSeconds: 0
Name: Authorizer
Type: REQUEST
AuthorizerUri: ???
RestApiId:
Fn::ImportValue: myRestApiId


I don’t understand what the syntax for AuthorizerUri is supposed to be. I’ve tried “Ref: authorizerFunc”, “Fn::GetAtt: [authorizerFunc, Arn]” etc. to no avail.



When I get the authorizerUri working, do I just add an Output for my authorizer resource, then Fn::ImportValue it from the services containing my API Lambdas?



Link to my question on the Serverless forum for posterity: https://forum.serverless.com/t/shared-lambda-authorizer/6447










share|improve this question



























    1















    I am trying to create a custom Lambda authorizer that will be shared between a few different services/serverless stacks. If I understand the documentation here https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway, that means that I need to create a shared authorizer resource in a “common resources” service/serverless stack, and then refer to that shared authorizer from my other services. First of all: Is my understanding correct?



    If my understanding is correct, my next question becomes: How do I do this? The documentation doesn’t provide a clear example for lambda authorizers, so here’s how I tried to customize it:



    functions:
    authorizerFunc:
    handler: authorizer/authorizer.handler
    runtime: nodejs8.10

    resources:
    Resources:
    authorizer:
    Type: AWS::ApiGateway::Authorizer
    Properties:
    AuthorizerResultTtlInSeconds: 0
    Name: Authorizer
    Type: REQUEST
    AuthorizerUri: ???
    RestApiId:
    Fn::ImportValue: myRestApiId


    I don’t understand what the syntax for AuthorizerUri is supposed to be. I’ve tried “Ref: authorizerFunc”, “Fn::GetAtt: [authorizerFunc, Arn]” etc. to no avail.



    When I get the authorizerUri working, do I just add an Output for my authorizer resource, then Fn::ImportValue it from the services containing my API Lambdas?



    Link to my question on the Serverless forum for posterity: https://forum.serverless.com/t/shared-lambda-authorizer/6447










    share|improve this question

























      1












      1








      1








      I am trying to create a custom Lambda authorizer that will be shared between a few different services/serverless stacks. If I understand the documentation here https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway, that means that I need to create a shared authorizer resource in a “common resources” service/serverless stack, and then refer to that shared authorizer from my other services. First of all: Is my understanding correct?



      If my understanding is correct, my next question becomes: How do I do this? The documentation doesn’t provide a clear example for lambda authorizers, so here’s how I tried to customize it:



      functions:
      authorizerFunc:
      handler: authorizer/authorizer.handler
      runtime: nodejs8.10

      resources:
      Resources:
      authorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
      AuthorizerResultTtlInSeconds: 0
      Name: Authorizer
      Type: REQUEST
      AuthorizerUri: ???
      RestApiId:
      Fn::ImportValue: myRestApiId


      I don’t understand what the syntax for AuthorizerUri is supposed to be. I’ve tried “Ref: authorizerFunc”, “Fn::GetAtt: [authorizerFunc, Arn]” etc. to no avail.



      When I get the authorizerUri working, do I just add an Output for my authorizer resource, then Fn::ImportValue it from the services containing my API Lambdas?



      Link to my question on the Serverless forum for posterity: https://forum.serverless.com/t/shared-lambda-authorizer/6447










      share|improve this question














      I am trying to create a custom Lambda authorizer that will be shared between a few different services/serverless stacks. If I understand the documentation here https://serverless.com/framework/docs/providers/aws/events/apigateway/#note-while-using-authorizers-with-shared-api-gateway, that means that I need to create a shared authorizer resource in a “common resources” service/serverless stack, and then refer to that shared authorizer from my other services. First of all: Is my understanding correct?



      If my understanding is correct, my next question becomes: How do I do this? The documentation doesn’t provide a clear example for lambda authorizers, so here’s how I tried to customize it:



      functions:
      authorizerFunc:
      handler: authorizer/authorizer.handler
      runtime: nodejs8.10

      resources:
      Resources:
      authorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
      AuthorizerResultTtlInSeconds: 0
      Name: Authorizer
      Type: REQUEST
      AuthorizerUri: ???
      RestApiId:
      Fn::ImportValue: myRestApiId


      I don’t understand what the syntax for AuthorizerUri is supposed to be. I’ve tried “Ref: authorizerFunc”, “Fn::GetAtt: [authorizerFunc, Arn]” etc. to no avail.



      When I get the authorizerUri working, do I just add an Output for my authorizer resource, then Fn::ImportValue it from the services containing my API Lambdas?



      Link to my question on the Serverless forum for posterity: https://forum.serverless.com/t/shared-lambda-authorizer/6447







      amazon-web-services serverless-framework






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 14 '18 at 14:15









      DanDan

      185




      185
























          1 Answer
          1






          active

          oldest

          votes


















          0














          I had the same issue that you describe. Or at least I think so. And I managed to get it solved by following the documentation on links you provided.



          The serverless documentation states for the authorizer format to be



          authorizer:
          # Provide both type and authorizerId
          type: COGNITO_USER_POOLS # TOKEN or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
          authorizerId:
          Ref: ApiGatewayAuthorizer # or hard-code Authorizer ID


          Per my understanding, my solution (provide below) follows the hard-coded authorizer ID approach.



          In the service that has the shared authorizer, it is declared in the serverless.yml in normal fashion, i.e.



          functions:
          myCustomAuthorizer:
          handler: path/to/authorizer.handler
          name: my-shared-custom-authorizer


          Then in the service that wishes to use this shared authorizer, the function in servlerless.yml is declared as



          functions:
          foo:
          # some properties ...
          events:
          - http:
          # ... other properties ...
          authorizer:
          name: authorize
          arn:
          Fn::Join:
          - ""
          - - "arn:aws:lambda"
          # References to values such as region, account id, stage, etc
          # Can be done with Pseudo Parameter Reference
          - ":"
          - "function:myCustomAuthorizer"


          It was crucial to add the name property. It would not work without it, at least at the moment.



          For details see




          • ARN naming conventions

          • Pseudo Parameter Reference

          • Fn::Join


          Unfortunately I cannot say whether this approach has some limitations compared to your suggestion of defining authorizer as a resource. In fact, that might make it easier to re-use the same authorizer in multiple functions within same service.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53302266%2fshared-lambda-authorizer-setup-in-serverless-framework%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I had the same issue that you describe. Or at least I think so. And I managed to get it solved by following the documentation on links you provided.



            The serverless documentation states for the authorizer format to be



            authorizer:
            # Provide both type and authorizerId
            type: COGNITO_USER_POOLS # TOKEN or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
            authorizerId:
            Ref: ApiGatewayAuthorizer # or hard-code Authorizer ID


            Per my understanding, my solution (provide below) follows the hard-coded authorizer ID approach.



            In the service that has the shared authorizer, it is declared in the serverless.yml in normal fashion, i.e.



            functions:
            myCustomAuthorizer:
            handler: path/to/authorizer.handler
            name: my-shared-custom-authorizer


            Then in the service that wishes to use this shared authorizer, the function in servlerless.yml is declared as



            functions:
            foo:
            # some properties ...
            events:
            - http:
            # ... other properties ...
            authorizer:
            name: authorize
            arn:
            Fn::Join:
            - ""
            - - "arn:aws:lambda"
            # References to values such as region, account id, stage, etc
            # Can be done with Pseudo Parameter Reference
            - ":"
            - "function:myCustomAuthorizer"


            It was crucial to add the name property. It would not work without it, at least at the moment.



            For details see




            • ARN naming conventions

            • Pseudo Parameter Reference

            • Fn::Join


            Unfortunately I cannot say whether this approach has some limitations compared to your suggestion of defining authorizer as a resource. In fact, that might make it easier to re-use the same authorizer in multiple functions within same service.






            share|improve this answer




























              0














              I had the same issue that you describe. Or at least I think so. And I managed to get it solved by following the documentation on links you provided.



              The serverless documentation states for the authorizer format to be



              authorizer:
              # Provide both type and authorizerId
              type: COGNITO_USER_POOLS # TOKEN or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
              authorizerId:
              Ref: ApiGatewayAuthorizer # or hard-code Authorizer ID


              Per my understanding, my solution (provide below) follows the hard-coded authorizer ID approach.



              In the service that has the shared authorizer, it is declared in the serverless.yml in normal fashion, i.e.



              functions:
              myCustomAuthorizer:
              handler: path/to/authorizer.handler
              name: my-shared-custom-authorizer


              Then in the service that wishes to use this shared authorizer, the function in servlerless.yml is declared as



              functions:
              foo:
              # some properties ...
              events:
              - http:
              # ... other properties ...
              authorizer:
              name: authorize
              arn:
              Fn::Join:
              - ""
              - - "arn:aws:lambda"
              # References to values such as region, account id, stage, etc
              # Can be done with Pseudo Parameter Reference
              - ":"
              - "function:myCustomAuthorizer"


              It was crucial to add the name property. It would not work without it, at least at the moment.



              For details see




              • ARN naming conventions

              • Pseudo Parameter Reference

              • Fn::Join


              Unfortunately I cannot say whether this approach has some limitations compared to your suggestion of defining authorizer as a resource. In fact, that might make it easier to re-use the same authorizer in multiple functions within same service.






              share|improve this answer


























                0












                0








                0







                I had the same issue that you describe. Or at least I think so. And I managed to get it solved by following the documentation on links you provided.



                The serverless documentation states for the authorizer format to be



                authorizer:
                # Provide both type and authorizerId
                type: COGNITO_USER_POOLS # TOKEN or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
                authorizerId:
                Ref: ApiGatewayAuthorizer # or hard-code Authorizer ID


                Per my understanding, my solution (provide below) follows the hard-coded authorizer ID approach.



                In the service that has the shared authorizer, it is declared in the serverless.yml in normal fashion, i.e.



                functions:
                myCustomAuthorizer:
                handler: path/to/authorizer.handler
                name: my-shared-custom-authorizer


                Then in the service that wishes to use this shared authorizer, the function in servlerless.yml is declared as



                functions:
                foo:
                # some properties ...
                events:
                - http:
                # ... other properties ...
                authorizer:
                name: authorize
                arn:
                Fn::Join:
                - ""
                - - "arn:aws:lambda"
                # References to values such as region, account id, stage, etc
                # Can be done with Pseudo Parameter Reference
                - ":"
                - "function:myCustomAuthorizer"


                It was crucial to add the name property. It would not work without it, at least at the moment.



                For details see




                • ARN naming conventions

                • Pseudo Parameter Reference

                • Fn::Join


                Unfortunately I cannot say whether this approach has some limitations compared to your suggestion of defining authorizer as a resource. In fact, that might make it easier to re-use the same authorizer in multiple functions within same service.






                share|improve this answer













                I had the same issue that you describe. Or at least I think so. And I managed to get it solved by following the documentation on links you provided.



                The serverless documentation states for the authorizer format to be



                authorizer:
                # Provide both type and authorizerId
                type: COGNITO_USER_POOLS # TOKEN or COGNITO_USER_POOLS, same as AWS Cloudformation documentation
                authorizerId:
                Ref: ApiGatewayAuthorizer # or hard-code Authorizer ID


                Per my understanding, my solution (provide below) follows the hard-coded authorizer ID approach.



                In the service that has the shared authorizer, it is declared in the serverless.yml in normal fashion, i.e.



                functions:
                myCustomAuthorizer:
                handler: path/to/authorizer.handler
                name: my-shared-custom-authorizer


                Then in the service that wishes to use this shared authorizer, the function in servlerless.yml is declared as



                functions:
                foo:
                # some properties ...
                events:
                - http:
                # ... other properties ...
                authorizer:
                name: authorize
                arn:
                Fn::Join:
                - ""
                - - "arn:aws:lambda"
                # References to values such as region, account id, stage, etc
                # Can be done with Pseudo Parameter Reference
                - ":"
                - "function:myCustomAuthorizer"


                It was crucial to add the name property. It would not work without it, at least at the moment.



                For details see




                • ARN naming conventions

                • Pseudo Parameter Reference

                • Fn::Join


                Unfortunately I cannot say whether this approach has some limitations compared to your suggestion of defining authorizer as a resource. In fact, that might make it easier to re-use the same authorizer in multiple functions within same service.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 28 at 11:34









                kaskelottikaskelotti

                1,70983256




                1,70983256
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53302266%2fshared-lambda-authorizer-setup-in-serverless-framework%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Florida Star v. B. J. F.

                    Danny Elfman

                    Lugert, Oklahoma