AWS API Gateway custom authorizer. How to access principalId in lambda

8
votes

So I am trying to set up a custom authorizer in API Gateway.

I can get it to forward a request with a valid token to the lambda function specified in the API method. I cannot figure out how to access the principalId passed on by my authorizer though.

When executing the request I get the following in the Cloud watch log:

Authorizer result body before parsing:
{
  "principalId": "16",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Condition": {},
        "Action": "execute-api:Invoke",
        "Resource": [
          "arn:aws:execute-api:eu-central-1:****:***/null/*/*"
        ],
        "Effect": "Allow"
      },
      {
        "Condition": {},
        "Action": "execute-api:Invoke",
        "Resource": [],
        "Effect": "Deny"
      }
    ]
  }
}

So how do I access the principalId in my lambda function? Is the object even passed on to lambda? And if it is not, how do I get at least the principalId to passed?

1
javaapiamazon-web-serviceslambdaaws-api-gateway

1 Answers

7
votes

The principalId can (and by default is) forwarded to the Lambda implementation. Depending on your mapping, the principalId should appear in the context variable.

You can access the principalId value in a mapping template using the $context.authorizer.principalId variable. This is useful if you want to pass the value to the backend. For more information, see Accessing the $context Variable.

Use API Gateway Custom Authorizers