https://serverless-stack.com/ logo
Join Slack
Powered by
Is lambda authorizer caching working for you guys?...
# sst
a
Is lambda authorizer caching working for you guys? For me, it’s caching the responses always. I’m sending different bearer JWT tokens, and is caching the response and returning always the same, even for different tokens.
g
The identity source is set to the token ?
a
Yeah.
f
Hey @Adrián Mouly, I added 2 examples here with Lambda authorizer, one with simple response and one with IAM policy response. Caching seems fine when I was testing them out. Default to 5min.
They aren’t using JWT, but rather BASIC auth. The idea should be similar, the identity source in this case defaults to 
['$request.header.Authorization']
a
Ok thank you @Frank.
@Frank would be possible to make an example with IAM_AUTH at some point?
Not related to the caching issue, but in other API I’m trying to use IAM_AUTH but always getting 503.
And not sure how is supposed to send the IAM auth headers, I’m using postman to test it.
f
There are 5 examples in the that are AWS_IAM authorized. Each one comes with a tutorial as well - https://github.com/serverless-stack/serverless-stack/tree/master/examples
Check them out!
a
But those use facebook/twitter.. etc.. I want to use just AWS IAM.
f
Yeah when using AWS_IAM, you pretty much have a Cognito Identity Pool. The authentication provider backing it can by User Pool, Facebook, etc.
a
But what if we want to use the aws-sign-v4 stuff?
Which uses AWS Auth.
f
At the bottom, it’s using Insomia to test. By providing the credentials, Insomia will do the signing.
a
I see, so you always going to need a provider like facebook/cognito/etc.
I’m trying to use this for internal API calls, like I mentioned before. Maybe I need to create a User Pool for internal usage.
f
Yup, Cognito Identity Pool just assigns temporary credentials to a user authenticated by facebook/cognito/etc, or unauthenticated
Itself doesn’t do authentication
a
Ok, that makes sense.
I was expecting that maybe it can use the AWS IAM alone.
f
Yeah, this article doesn’t even mention Cognito Identity Pool. When using AWS_IAM authorizaiton. It allows anyone with IAM credentials to access the Api. For example an IAM user, an IAM role, or a Facebook/Cognito/etc user who received temporary credentials from Identity Pool.
a
Yes, that’s the thing… I want to use an IAM User.
Not a Cognito/Facebook/etc User.
f
Yeah, if you look at the Insomia screenshot in the facebook example, you just need to put in the IAM User’s credentials
a
Yeah, I’m doing that, but can’t make it work 😞
Always getting 503.
f
Does the IAM User have the permission to execute the API?
a
Yeah, I created it from the Console, maybe the rule is not properly defined or something.
f
Try AdministratorAccess quickly as a test?
a
That’s a IAM rule? sorry I’ve never had access to my IAM due some restrictions on my Company.
But your suggestion makes sense, to use some ADMIN access.
f
I see. The permission you need is 
execute-api:Invoke
on 
arn:aws:execute-api:${region}:${account}:${httpApiId}/*
a
YESSSS.
I did setup that, going to check it again.
I mean, wasn’t me, due I’m not Admin in my org 😞.
But my Admin setup if like that for me.
FINALLY!! GOT IT TO WORK!!
My Permission was setup incorrectly… gosh.
3 Views
Open in Slack
PreviousNext
Powered by