AWS API网关自定义授权程序lambda
{
"authorizationToken": "0c34ba00bde34200b383abe22bcfef96",
"methodArn": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"type": "TOKEN"
}
{
"principalId": "xxxxxxx", // the principal user identification associated with the token send by the client
"policyDocument": { // example policy shown below, but this value is any valid policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:xxxxxxxxxxxx:xxxxxxxx:/test/*/mydemoresource/*"
]
}
]
}
}
Execution log for request test-request
Thu Jun 29 11:48:10 UTC 2017 : Starting authorizer: 1o3dvk for request: test-request
Thu Jun 29 11:48:10 UTC 2017 : Incoming identity: **************************cfef96
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request URI: https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************751e60, X-Amz-Date=20170629T114810Z, x-amzn-apigateway-api-id=z6t3cv0z4m, X-Amz-Source-Arn=arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/authorizers/1o3dvk, Accept=application/json, User-Agent=AmazonAPIGateway_z6t3cv0z4m, X-Amz-Security-Token=FQoDYXdzEHQaDOcIbaPscYGsl1wF4iLBAxzOTpZlR2r3AO3g96xwhRuQjEhU9OjOaRieBWQPeosNqv53aGKnBTT2CmkrVzHo3UqOdT1eakuS7tAXAbEcUIHVheWpBnvxqTkaPcknRL7QE79RSqVeryoXo2R1Kmk0Q9Iq+JGFlOJYQQJqvY/hcUg189xqbpTGrhZjcA+pjuSp+M9D97Kce0VP0e3peu/YvON0eGvUlj59MAJAwGVPIzplMKTDFrFg5NKEj79RSxNrNE8y4bAebOwlD8xLv649Zny7++xlMBBwHqMNHu3K9lFXSnKY9DHf6kvezZmpoFB2uu8WbrpInH0eQ/bIAd [TRUNCATED]
Thu Jun 29 11:48:10 UTC 2017 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","authorizationToken":"0c34ba00bde34200b383abe22bcfef96"}
Thu Jun 29 11:48:10 UTC 2017 : Sending request to https://lambda.ap-southeast-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:ap-southeast-1:855399270504:function:um_guestSessionAuthoriser/invocations
Thu Jun 29 11:48:21 UTC 2017 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}}
Thu Jun 29 11:48:21 UTC 2017 : Execution failed due to configuration error: Could not parse policy: {"version":"2012-10-17","statement":[{"resource":"arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/","action":"execute-api:Invoke","effect":"Allow"}]}
Thu Jun 29 11:48:21 UTC 2017 : AuthorizerConfigurationException
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"action": "execute-api:Invoke",
"effect": "Allow"
}]
}
}
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"effect": "Deny",
"action": ["execute-api:Invoke"],
"resource": ["arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/"]
}]
}
}
但是看起来在我的lambda响应和API网关之间发生了一些奇怪的事情,
变量在内部的某个地方被压缩得更低,
而我仍然得到了相同的解析错误,
它会接受其他格式的响应吗?字符串也不起作用。
我还应该尝试什么?我的策略格式错误吗?
我从这些站点获得了两种不同的策略格式-
1。http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
2。https://aws.amazon.com/blogs/compute/induction-custom-authorizers-in-amazon-api-gateway/
共有1个答案
您的策略属性需要适当的大写。而不是:
{
"principalId": "user",
"policyDocument": {
"version": "2012-10-17",
"statement": [{
"resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"action": "execute-api:Invoke",
"effect": "Allow"
}]
}
}
应该是:
{
"principalId": "user",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Resource": "arn:aws:execute-api:ap-southeast-1:855399270504:z6t3cv0z4m/null/GET/",
"Action": "execute-api:Invoke",
"Effect": "Allow"
}]
}
}
不妨用“principalid”来保持事情的一致性。
-
我是API网关的新手。我尝试使用“自定义授权程序”。我遵循了下面的文档,并使用了网站提供的示例代码。https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html “令牌类型的lambda授权者”是工作的。 但是... 我对“请求类型”感到困惑,不知道如何将quer
-
Mono Apr 10 09:42:35 UTC 2017:转换后的endpoint请求主体:{“Type”:“Token”,“AuthorizationToken”:“ABC123”,“MethodArn”:“arn:aws:execute-api:ap-southeast-1:007183653813:OHLQXU9P57/null/Get/”}Mono Apr 10 09:42:36 UTC
-
如何从API网关中的自定义授权器lambda函数获取日志记录?我不想为API启用日志记录。我需要从授权器lambda函数日志记录。我使用了一个python lambda函数,并且在代码中有打印。我想查看云观察日志中的指纹。但在云观察中看不到原木。我也没有错误。我缺少什么? Lambda有execution role role/service-role/mylambdarole。此角色具有写入clo
-
我已经创建了一个Lambda函数,在我的一个APIendpoint的方法请求上,我将其配置为“自定义身份验证”。当我使用AWS API网关的“test”函数时,我在日志输出中没有看到Lambda函数的任何输出。 我已经部署了API。 然而,有些事情正在发生,因为当我使用配置的自定义域名命中apiendpoint时,我得到了 但是,如果我从该endpoint删除“自定义身份验证”并点击同一endpo
-
首先,我对AWS很陌生。从非常基本的API网关+Lambda集成开始。下面是我的用例。 > 与API网关创建了一个Lambda代理集成请求,GET请求输出通过查询参数传递的2个数字的相加。现在,如果我访问这个API网关endpoint,我将获得所需的结果。 现在我已经创建了自定义授权器,它反过来是对另一个lambda的调用。因此请求将在到达API网关endpoint之前由授权者lambda验证。在
-
我正在AWS lambda上使用无服务器框架构建一个REST服务。我已经创建了一个自定义授权器,在调用lambdas时调用它。当我运行无服务器脱机时,一切正常。当我部署时,我在AP网关中得到一个错误。我已经在API网关中启用了日志,但没有任何东西写入日志。 下面是我的Serverless.yml文件: 我的授权处理程序如下所示。该方法获取我的身份验证令牌并使用JOSE验证它,并为用户和一些角色返回