How can I use permissions generated in AWS Custom Authorizer in my lambda code?

4
votes

I'd like to generate a custom policy that provides fine grained access to DynamoDB tables inside an AWS custom authorizer. Is this possible?

In serverless, my configuration looks like this:

functions:
  APIAuthorizer:
    handler: src/services/auth/handlers.apiAuthorizer
    cors: true
  GraphQLAPI:
    handler: src/services/graphql/handlers.apiHandler
    events:
      - http:
          path: "/api"
          method: post
          cors: true
          authorizer:
            name: APIAuthorizer
            type: request
            resultTtlInSeconds: 0

I've verified that my custom authorizer is being called, and that various permissions it generates (sts:AssumeRole, lambda:InvokeFunction, execute-api:Invoke, and others) are required for successfully invoking the API handler. So my custom authorizer is working and the result it provides is necessary.

However, when the authorizer includes dynamodb permissions, e.g., a statement like { Effect: "Allow", Action: "dynamodb:", "Resource": "" }

my API handler (the GraphQLAPI function) fails with a message like 

User: arn:aws:sts::<myaccountid>:assumed-role/<mydefaultrole>/myservice-mystage-GraphQLAPI is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:<myaccountId>:table/<mytable>/index/<someIndex>

(I noticed the complaint is about an index permission, so also tried adding specific permissions for that index and/or for all indexes, but this has no effect.)

The bottom line, after many different attempts, is that dynamodb permissions issued by the custom authorizer are completely ignored. My lambda node.js code is using the AWS node SDK, which should be picking up permissions from the instance environment. I assumed this would include permissions generated by the custom authorizer.

Finally, I noticed that the AWS javascript SDK documentation on how credentials are loaded says only "The execution role provides the Lambda function with the credentials it needs to run and to invoke other web services". I.e., it doesn't mention the dynamically generated credentials issued by the custom authorizer.

This seems to explain the behavior I'm seeing. My API handler only has permissions from the statically defined execution role (the error message indicates that too), and isn't granted permissions generated by the custom authorizer.

Is there anyway to use the permissions my custom authorizer generates inside my API handler?

1
aws-lambdaamazon-dynamodbamazon-iamserverlesslambda-authorizer
I had this same expectation that it was dynamic policy generation for any resource and not just api gateway, and the lambda would execute under the dynamic policy. Should be clearer in the AWS docs. - pfeilbr

1 Answers

5
votes

I think you misunderstood the IAM policy output from Lambda authorizers. The purpose of the IAM policy output from the authorizer is to reflect what the outcome should be for API gateway with respect to continuing to process the request.

The policy returned is not necessarily applied to the invoked function, but applied to the invocation of the function. It merely tells API Gateway which APIs the requesting user is authorized to access.

If you wish to give the API functions being invoked specific access to resources such as DynamoDB tables, or any other AWS resources, those have to be configured in the role assigned to the Lambda function. Otherwise, you may be able to specify a role that the Lambda function to be invoked would assume that grants it additional permissions. This role can be passed via the context parameters from the authorizer.