This is a simple Lambda authorizer for Amazon API Gateway, designed to protect an HTTP API, placed behind a CloudFront distribution, from direct access. The authorizer checks a secret value from an environment variable against a value received in an HTTP header from the client (CloudFront). If the values match, access is granted.
This authorizer is lightweight and requires minimal resources, making it highly cost-effective for simple use cases. It doesn't use AWS Secrets Manager, make external network calls, or support key rotation, keeping the implementation straightforward.
To experience how the authorizer works, try accessing the following endpoints:
- Protected API via CloudFront (Authorized Access)
- Direct API Access (Unauthorized)
To install the package, run:
pip install amazon-api-gateway-simple-authorizerThe Lambda function authorizer can be used to protect API Gateway endpoints by verifying a custom header passed by CloudFront. It compares the header value with a secret API key stored as an environment variable.
API_KEY: The secret API key expected from the client (CloudFront).API_KEY_HEADER_NAME: (Optional) The name of the header that contains the API key. If not set, the default header name"x-origin-verify"will be used.
The Lambda function handler is located at:
simple_authorizer.authorizer.handler
Here's a sample event that can be passed to the Lambda authorizer:
{
"headers": {
"x-origin-verify": "your-secret-api-key"
}
}If the secret in the x-origin-verify header matches the value stored in the API_KEY environment variable, the request is authorized.
To deploy the Lambda authorizer, follow these steps:
-
Set up Lambda environment variables:
API_KEY: Your secret key, e.g.,"your-secret-api-key".API_KEY_HEADER_NAME: (Optional) If you want to use a custom header name, e.g.,"x-api-key". If not set, the default is"x-origin-verify".
-
Deploy your Lambda function using the AWS Management Console or AWS CLI and ensure the handler is set to
simple_authorizer.authorizer.handler. -
Configure API Gateway:
- In your API Gateway, set up a custom authorizer and select the Lambda function as the authorizer.
- Use the matching header (default:
"x-origin-verify", or your custom value set byAPI_KEY_HEADER_NAME) in your CloudFront configuration to pass the API key.
- Memory: Allocate 128MB of memory to the Lambda function for optimal cost efficiency.
- Timeout: Set the timeout to 3 seconds, as the function is lightweight and doesn't require more time even with the cold start.
- Caching: Cache the authorization result for the maximum allowed time (1 hour) for both performance and cost savings.
- This solution does not support key rotation.
- It does not integrate with AWS Secrets Manager or any external key storage service.
- It requires manual updates for key changes.
This project is licensed under the MIT License. See the LICENSE file for details.
This software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term "AWS" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.