Simple Lambda authorizer for HTTP API behind CloudFront
MIT License
This is a simple Lambda authorizer for Amazon API Gateway, designed to protect an HTTP API, placed behind a CloudFront distribution, from direct access. The authorizer checks a secret value from an environment variable against a value received in an HTTP header from the client (CloudFront). If the values match, access is granted.
This authorizer is lightweight and requires minimal resources, making it highly cost-effective for simple use cases. It doesn't use AWS Secrets Manager, make external network calls, or support key rotation, keeping the implementation straightforward.
To experience how the authorizer works, try accessing the following endpoints:
To install the package, run:
pip install amazon-api-gateway-simple-authorizer
The Lambda function authorizer can be used to protect API Gateway endpoints by verifying a custom header passed by CloudFront. It compares the header value with a secret API key stored as an environment variable.
API_KEY
: The secret API key expected from the client (CloudFront).API_KEY_HEADER_NAME
: (Optional) The name of the header that contains the API key. If not set, the default header name "x-origin-verify"
will be used.The Lambda function handler is located at:
simple_authorizer.authorizer.handler
Here's a sample event that can be passed to the Lambda authorizer:
{
"headers": {
"x-origin-verify": "your-secret-api-key"
}
}
If the secret in the x-origin-verify
header matches the value stored in the API_KEY
environment variable, the request is authorized.
To deploy the Lambda authorizer, follow these steps:
Set up Lambda environment variables:
API_KEY
: Your secret key, e.g., "your-secret-api-key"
.API_KEY_HEADER_NAME
: (Optional) If you want to use a custom header name, e.g., "x-api-key"
. If not set, the default is "x-origin-verify"
.Deploy your Lambda function using the AWS Management Console or AWS CLI and ensure the handler is set to simple_authorizer.authorizer.handler
.
Configure API Gateway:
"x-origin-verify"
, or your custom value set by API_KEY_HEADER_NAME
) in your CloudFront configuration to pass the API key.This project is licensed under the MIT License. See the LICENSE file for details.
This software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term "AWS" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.