TLDR;
We have a custom authorizer deployed and want to use stage variables to switch which (authorizer) function is used per stage/environment. e.g the dev stage would use the authorizer-dev function, acpt stage would use authorizer-acpt and so on. We cannot get this to work.
More Detail
We have a HTTP API (not REST) deployed in API Gateway. This understandably limits some of the capabilities that using a REST API would give us but we currently have no strong need for the full features supplied by a REST API.
To support different environments we use stages alongside stage variables to switch the downstream integration (lambda function, k8s based service, etc) based on which stage the request comes in on. i.e. anything requested on the dev stage gets pointed at the services deployed as the dev environment. This is all deployed through the use of an Open API Specification which has the stage variables embedded into the AWS integration extensions. For example;
payloadFormatVersion: "2.0"
passthroughBehavior: when_no_match
httpMethod: POST
type: aws_proxy
credentials: "arn:aws:iam::<aws-account>:role/<role-name>"
uri: "arn:aws:apigateway:<aws-region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<aws-region>:<aws-account>:function:<function-name>-${stageVariables.environment}/invocations"
This works perfectly.
We have a custom authorizer configured in API Gateway against our HTTP API (apigatewayv2). Currently all requests no matter which stage go through a single authorizer function which is causing a pinch point for us as we need to have segregated authorizers per environment as they need to have different verifications and configuration.
We have tried a number of things both manually and via CICD to enable stage variables on custom authorizers; but cannot get this to work correctly. Using a single authorizer works, using stage variables results in all requests returning 500 Internal Server Error without any details anywhere of what went wrong.
This question is similar to the one asked here with accepted answer but specifically for a HTTP API.
Things we have tried
- Putting stage variables into the authorizerUri in the API Specification e.g;
x-amazon-apigateway-authorizer:
authorizerCredentials: "arn:aws:iam::<aws-account>:role/<role-name>"
authorizerPayloadFormatVersion: 2.0
authorizerUri: "arn:aws:apigateway:<aws-region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<aws-region>:<aws-account>:function:<authorizer-name>-${stageVariables.environment}/invocations"
authorizerResultTtlInSeconds: 0
identitySource: $request.header.Authorization
type: request
- Using a stage variable to replace the entire function name authorizerUri in both the console and in the API specification e.g.
authorizerUri: "arn:aws:apigateway:<aws-region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<aws-region>:<aws-account>:function:${stageVariables.authorizerFunctionName}/invocations"
- Using the AWS CLI to update the authorizer's uri manually e.g.;
aws apigatewayv2 update-authorizer --api-id <api-id> --authorizer-id <authorizer-id> --authorizer-uri 'arn:aws:apigateway:<aws-region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<aws-region>:<aws-account>:function:<authorizer-name>-${stageVariables.environment}/invocations
We're at a loss as to why this doesn't work and can't find any documentation that points to why it shouldn't work.
