[英]How to secure AWS API Gateway with Access and Secret Keys in CloudFormation?
I created the serverless Lambda application by using an AWS Toolkit for Visual Studio template (I used Tutorial: Build and Test a Serverless Application with AWS Lambda ). 我使用适用于Visual Studio的AWS工具包模板创建了无服务器Lambda应用程序(我使用了教程:使用AWS Lambda构建和测试无服务器应用程序 )。 I had selected 'Empty Serverless Project' and created simple lambda function linked to API Gateway . 我选择了“空无服务器项目”,并创建了链接到API Gateway的简单lambda函数 。
The CloudFormation template looks like: CloudFormation模板如下所示:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Transform" : "AWS::Serverless-2016-10-31",
"Description" : "An AWS Serverless Application.",
"Resources" : {
"Get" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
"Handler": "AWSServerless::AWSServerless.Functions::Get",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [ "AWSLambdaBasicExecutionRole" ],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/",
"Method": "GET"
}
}
}
}
}
},
"Outputs" : {
"ApiURL" : {
"Description" : "API endpoint URL for Prod environment",
"Value" : { "Fn::Sub" : "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/" }
}
}
}
Now I need to secure my API Gateway with Access and Secret Keys. 现在,我需要使用访问和秘密密钥来保护我的API网关 。 I have investigated a bit and if I am correct it should look like next: 我已经调查了一下,如果我是正确的话,应该看起来像下一个:
"security":[{"sigv4":[]}]
But it still isn't clear to me where should I apply it? 但是我仍然不清楚我应该在哪里使用它? Possible that I am wrong and it could be done in another way. 可能我错了,也可以用另一种方式完成。 So my question is: 所以我的问题是:
How to secure API Gateway with Access and Secret Keys in CloudFormation? 如何使用CloudFormation中的访问和秘密密钥保护API网关 ?
You can use API key or Authorizers 您可以使用API密钥或授权者
The following examples create a custom authorizer that is an AWS Lambda function. 以下示例创建一个自定义授权人,该人是一个AWS Lambda函数。
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"AuthorizerCredentials": { "Fn::GetAtt": ["LambdaInvocationRole", "Arn"] },
"AuthorizerResultTtlInSeconds": "300",
"AuthorizerUri" : {"Fn::Join" : ["", [
"arn:aws:apigateway:",
{"Ref" : "AWS::Region"},
":lambda:path/2015-03-31/functions/",
{"Fn::GetAtt" : ["LambdaAuthorizer", "Arn"]}, "/invocations"
]]},
"Type": "TOKEN",
"IdentitySource": "method.request.header.Auth",
"Name": "DefaultAuthorizer",
"RestApiId": {
"Ref": "RestApi"
}
}
}
(Update) (更新)
SO thread on How to use authorizers in the template 关于如何在模板中使用授权者的SO线程
Reference an Authorizer definition in an API Gateway path 在API网关路径中引用授权者定义
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.