How do I use the policy doc generated by custom authorizer lambda function?

1
votes

Let's say I have this usecase where the user is allowed to read from certain dynamodb table and getObject and putObject privileges in the S3.

Following items I have been able to establish-: 1. User is authenticated against cognito user pool 2. On successful auth, access token sent to API gateway 3. custom auth blueprint is used to validate and generate policy doc

Now what I am not able to understand is where and how do I mention the table/S3 permission specifics.

I went through the following documents/blogs

https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/

http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

https://mobile.awsblog.com/post/Tx3JK25U7Z9EUIU/Integrating-Amazon-Cognito-User-Pools-with-API-Gateway

However, I am still confused as to how and when will the policy document, created by the custom auth lambda, be used? and a clarification on the flow would be highly appreciated.

1
amazon-web-servicesamazon-s3amazon-dynamodbaws-lambdaaws-api-gateway

1 Answers

1
votes

We actually just launched native support for Cognito User Pools, which will validate the JWT vended by Cognito. However this will just do a simple ALLOW/DENY decision (allowing if the token is valid), so there is no concept of fine-grained permissions.

For custom authorizers, the policy that you generate is cached and can apply to the entire RestApi (or all methods that use the same authorizer). The policy allows you to set up fine-grained permissions just like you would with an IAM User/Role.

One use case would be a group-based permissions setup where the custom authorizer determines who the caller is and assigns a group policy (ex. admin, readonly, blocked, etc.) in the response to the first API call with that token. Those policies would set fine-grained permissions on specific resource/methods in the API. Then on subsequent API calls to any other resource/method in that share the same authorizer, the group policy would be applied.

So the benefits are:

  1. Fine-grained permission policies associate with users, like IAM Users/Roles.
  2. Caching the policy for the entire RestApi reduces Lambda invocations (cost and latency benefit).