0

In AWS API Gateway I am developing lambda function for custom authorizer using .NET Core. The API will receive api-key in query string and my custom authroizer will validate the key. Based on my understanding, after validation is done the lambda function needs to return IAM policy. The awslab blurprint does not have any example for .NET core. The only example i found so far is GrandmasRecipes that is using JWT Token.

I would like to know what IAM policy the lambda function needs to return and are there any corresponding .NET Core classes for request and response?

Update 1
So below is my code for custom lambda authorizer. However i would like know:

1> What should be PrincipalID. Currently i am just setting it to User

2>CheckAuthorization method gets all the keys from aws and only check the existence by comparing the key from the request. It should also check the Usage Plans and make sure the key from the request is configured in Usage Plans

3>The role that this Authorizer is executing under is attached to AmazonAPIGatewayAdministrator policy so that it can get API Keys, whats the minimum policy do i need for this role to validate api-key?

4>Is there any in-built method in AWSSDK to do validate api-key correctly?

[assembly: LambdaSerializer(typeof(Amazon.Lambda.Serialization.Json.JsonSerializer))]
namespace ApikeyAuthorizer
{
    public class Function
    {
        public async Task<APIGatewayCustomAuthorizerResponse> FunctionHandler(APIGatewayCustomAuthorizerRequest authEvent, ILambdaContext context)
        {
            var key = authEvent.QueryStringParameters["key"];
            bool authorized = await CheckAuthorization(key);

            var authPolicy = new APIGatewayCustomAuthorizerResponse();
            authPolicy.PrincipalID = "user";
            authPolicy.PolicyDocument = new APIGatewayCustomAuthorizerPolicy();
            authPolicy.PolicyDocument.Version = "2012-10-17";
            authPolicy.PolicyDocument.Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>();
            if (authorized)
            {
                var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement();
                statement.Action = new HashSet<string>(new string[] { "execute-api:Invoke" });
                statement.Effect = "Allow";
                statement.Resource = new HashSet<string>(new string[] { "arn:aws:execute-api:us-east-1:xxxxx:*/*/GET/*" });
                authPolicy.UsageIdentifierKey = key;
                authPolicy.PolicyDocument.Statement.Add(statement);
            }
            else
            {
                var statement = new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement();
                statement.Action = new HashSet<string>(new string[] { "execute-api:Invoke" });
                statement.Effect = "Deny";
                statement.Resource = new HashSet<string>(new string[] { "arn:aws:execute-api:us-east-1:xxxxx:*/*/GET/*" });
                authPolicy.PolicyDocument.Statement.Add(statement);
            }

            return authPolicy;
        }

        public async Task<bool> CheckAuthorization(string key)
        {            
            Amazon.APIGateway.AmazonAPIGatewayClient client = new Amazon.APIGateway.AmazonAPIGatewayClient();
            var response = await client.GetApiKeysAsync(new Amazon.APIGateway.Model.GetApiKeysRequest()
            {
                IncludeValues = true
            });           

            foreach (var apiKey in response.Items)
            {               
                if (apiKey.Value == key)
                {             
                    return true;
                }
            }           
            return false;
        }
    }
}
4

2 回答 2

2

您不需要使用 Lambda 授权方来验证 API 密钥,也不应该将其用于授权。您可以执行以下操作以在 API Gateway 中配置 API 密钥验证。

  1. 在您的 API资源部分,为您要启用它的方法设置API Key Required true
  2. 转到API Keys部分,从Actions下拉列表中选择Create API key并创建一个密钥
  3. 转到使用计划部分并创建一个新的使用计划。
  4. 创建使用计划后,单击它,然后单击API Keys选项卡。在这里单击将 API 密钥添加到使用计划并添加您在第 2 步中创建的密钥
  5. 现在单击Details选项卡,然后单击Add API Stage。选择您要使用 API 密钥限制的 API 和阶段。

您的 API 方法现在需要一个您已启用的 x-api-key HTTP 标头。当您请求 API 端点时,请确保您添加x-api-key的标头与您在上面的步骤 2 中创建的值相同。如果您不添加此标头或输入错误的值,您将收到 403 Forbidden 错误。

于 2019-01-07T21:39:41.940 回答
0 
curl -X PUT \
https://XXXX.XXXXX-api.ca-central-1.amazonaws.com/PROD/XXX-microservice \
 -H 'Content-Type: application/json' \
 -H 'x-api-key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{

 "initData": "HI",
 "name": "vaquar khan",
 "likes": "Java"
}'

API getaway 负责安全密钥验证,因此不需要 lambda 授权者

请不要创建重复的问题只是更新旧的问题,我在这里回答了你的问题:-如何在 AWS Lambda 函数中验证 API 密钥

于 2019-01-07T22:01:06.920 回答