如何在不引发异常的情况下从 AWS lambda 授权方返回 401
[英]How to return 401 from AWS lambda authorizer without raising an exception
问题描述
I have a lambda authorizer that is written in Python.
我有一个用 Python 编写的 lambda 授权器。
I know that with the following access policy I can return 200/403 :我知道使用以下访问策略我可以返回 200/403 :
{
"principalId": "yyyyyyyy",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "*"
}
]
},
"context": {
"stringKey": "value",
"numberKey": "1",
"booleanKey": "true"
},
"usageIdentifierKey": "{api-key}"
}
I'm trying to return 401 error if the customer didn't send any token, therefore I'm raising an exception :如果客户没有发送任何令牌,我试图返回 401 错误,因此我引发了一个异常:
raise Exception("Unauthorized")
The problem with this solution is that the AWS lambda fails and then the execution is marked as a failed execution and not as a successful execution of the lambda.此解决方案的问题在于 AWS lambda 失败,然后执行被标记为失败的执行,而不是 lambda 的成功执行。 Is there any way to return 401 without failing the lambda ?有什么方法可以在不使 lambda 失败的情况下返回 401 吗?
Also tried the following like in lambda integration but didn't work:在 lambda 集成中也尝试了以下操作,但没有奏效:
return {"statusCode": 401, "body" : "Unauthorized"}
1 个解决方案
解决方案1
4 2021-03-24 20:05:24
It really is ugly, but that's the only way to truly signal a 401, which means "I can't find your Authorization header or cookie or nothing, you have to authenticate to do that".这真的很难看,但这是真正发出 401 信号的唯一方法,这意味着“我找不到您的授权标头或 cookie 或什么都没有,您必须进行身份验证才能做到这一点”。 A 403 is an explicit 👎 saying "I know who you are, you're Forbidden from doing that". 403 是一个明确的 👎 说“我知道你是谁,你被禁止这样做”。 It's an odd, ternary response that API Gateway needs here: 👍/👎/🤷, and this "throw a very specific exception" is one way to do it. API Gateway 在这里需要一个奇怪的三元响应:👍/👎/🤷,“抛出一个非常具体的异常”是一种方法。
So you can't customize the response with the authorizer lambda;因此,您无法使用授权方 lambda 自定义响应; you can only give a response document that says yay/nay, or throw your hands up and signal "I can't find any authentication material here".你只能给出一个回应文件,说是/不,或者举起你的手并表示“我在这里找不到任何认证材料”。 To customize the shape of that response to a client, you would use Gateway Responses .要自定义对客户端的响应的形状,您可以使用Gateway Responses 。 With this, you can customize the shape of the json (or whatever content-type, really) of your 401/403 responses.有了这个,您可以自定义 401/403 响应的 json(或任何内容类型,实际上)的形状。
Now, with respect to raise Exception("Unauthorized") polluting your metrics, making ambiguous real errors vs this expected error, I agree, it kinda stinks.现在,关于raise Exception("Unauthorized")污染您的指标,使实际错误与此预期错误产生歧义,我同意,这有点糟糕。 My only recommendation would be to log something ERROR level that you set up a Metric Filter to watch out for, and use that as your true "something's gone wrong" metric.我唯一的建议是记录一些您设置了指标过滤器来注意的 ERROR 级别,并将其用作您真正的“出现问题”指标。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.