Reputation: 1417
AWS Lambda, AWS API Gateway and Securing REST endpoints
I am considering implementing a service as a series of REST endpoints on AWS Lambda and possibly AWS API Gateway. The front end would be a JS browser client that calls these endpoints directly, eliminating the need for a middle tier.
In my research, what I can't seem to find is, how do I secure access to the calls to people who are "logged in" so to speak? I see Lambda calls are stateless, so no session data. I don't need session data, other than to know they are authenticated and in same cases authorized to access a particular endpoint. There will be a database (DynamoDB or RDS) so if I need session data I could create it.
Is there a way to do this? I realize I could pass their username and password with each API call, but it seems there must be a better way.
Also, this would probably be implemented in Java. Could I use Spring Security?
Upvotes: 6
Views: 4183
Answers (2)
Reputation: 3044
To secure your API Gateway endpoints, you can consider signing your request with AWS Signature V4, using Cognito authorization token or Lambda(custom) Authorizer which can be set up relatively easy. There are other options. Check out AWS document.
You can set up either one of these using CloudFormation template or through AWS console. On front-end, you can use AWS Amplify library to sign the requests.
Check out this article on how to secure the access to your API Gateway.
Upvotes: 0
Reputation: 201118
I don't think you want to use Spring Security in a Lambda function. I can't imagine that working very well, and I doubt it would work at all. Even if it could run on Lambda it would definitely add more to your function's cold startup time than you are going to want to deal with.
The recommended way to provide user authentication checking to stateless services is through the use of JWT (JSON Web Tokens). Auth0 provides a good general article about JWT here, as well as a tutorial on using Auth0 with API Gateway and Lambda here. Even if you don't use Auth0 I think the second tutorial is useful for understanding how to perform user authentication on API Gateway and Lambda.
You can also use API Gateway Custom Authorization functions, which allow you to encapsulate all your authentication code in one Lambda function that acts like a "gatekeeper" to your API endpoints. I would recommend using a Custom Authorization Lambda function to validate the JSON web tokens submitted to your API.
Upvotes: 4
Related Questions
- Securing Spring Boot API with API key and secret
- Getting json body in aws Lambda via API gateway
- AWS API Gateway - lambda integration missing authorization header
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
- AWS - Route from public API Gateway to in-VPC lambda
- How to access HTTP headers for request to AWS API Gateway using Lambda?
- Counting AWS lambda calls and segmenting data per api key
- Secure HTTP Connection to AWS Lambda (using API Gateway)
- Securing access to AWS Lambda through API Gateway
- AWS API Gateway: How to pass IAM identity to Lambda function?