7

I currently have an API going through our API Gateway, which has multiple Custom Authorizers attached - LiveAuthorizer and TestAuthorizer.

I'd like to change my custom authorizer based on the stage being accessed, just like a stage variable. If we are in stage Test, use the TestAuthorizer, if in live use the LiveAuthorizer.

From my research and this page it doesn't seem possible, any ideas?

PS - I know this could be handled from within the Lambda function doing the authentication, I'm just curious if there is another way (similar to stage variables).

Community
  • 1
  • 1
Hexie
  • 3,955
  • 6
  • 32
  • 55

1 Answers1

3

You can use a stage variable in a single Authorizer to point to different Lambda functions depending on the stage, but you cannot point to different Authorizers.

In a lot of cases pointing to a different Lambda function works. The other settings on the Authorizer (like the header source or the TTL) don't support stage variables so those would have to be shared by all stages.

Edit: I should explain, a key reason for not allowing this is the fact that our stage variable feature as-is doesn't have a fallback if at runtime the variable doesn't exist. Since running an Authorizer is critical, we would have to come up with a different mechanism similar to stage variables with a built-in safety mechanism.

jackko
  • 6,998
  • 26
  • 38
  • Could you please explain this: "You can use a stage variable in a single Authorizer to point to different Lambda functions" – Hexie Feb 14 '17 at 03:00
  • You need to set your authorizer to something like {stageVariables.authorizerName} and set that stage variables in your stage. If you go with this configuration you need to manually configure your Api Gateway to call that Lambda functions. – taskiner Feb 14 '17 at 19:58
  • @taskiner please see the url in my initial question, according to this page (dated less than a month ago): http://stackoverflow.com/questions/41684728/is-it-possible-to-pass-a-stage-variables-to-a-custom-authorizer-in-aws-api-gatew that cannot be done? – Hexie Feb 14 '17 at 20:12
  • @Hexie that question is about accessing stagevariables within lambda function. Correct me if i'm wrong, you just want to trigger different lambda function for different stages. If that's you are talking about, you can do that with stage variables. – taskiner Feb 14 '17 at 21:11
  • @taskiner Are you saying that I could create a new Custom Authorizer and in its name use ${stageVariable.authName}? – Hexie Feb 14 '17 at 21:16
  • 1
    @Hexie yes we are using that configuration in production right now. Your auth func name needs to be set like you said. `${stageVariables.authFunc}` And you need to give permissions to your API GW to invoke lambda using AWS CLI. – taskiner Feb 14 '17 at 21:19
  • @taskiner is correct, the one option you have is using a stage variable for the function name and/or function version. Then you set the same 'Authorizer' on your methods, and then the stage variables will make that Authorizer call different Lambda functions based on the stage being invoked. – jackko Feb 15 '17 at 19:08
  • @JackKohn-AWS is this (stage variable substitution) working for the cognito authorizer ARN as well ? Thinking of using this to define a different user pool per stage – Vincent de Lagabbe Aug 17 '17 at 10:01
  • Would be awesome if we could disable authorizer caching per stage! – Jay Jun 18 '20 at 17:16