[英]How to return 401 from AWS lambda authorizer without raising an exception
I have a lambda authorizer that is written in Python.我有一个用 Python 编写的 lambda 授权器。
I know that with the following access policy I can return 200/403 :我知道使用以下访问策略我可以返回 200/403 :
{
"principalId": "yyyyyyyy",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "*"
}
]
},
"context": {
"stringKey": "value",
"numberKey": "1",
"booleanKey": "true"
},
"usageIdentifierKey": "{api-key}"
}
I'm trying to return 401 error if the customer didn't send any token, therefore I'm raising an exception :如果客户没有发送任何令牌,我试图返回 401 错误,因此我引发了一个异常:
raise Exception("Unauthorized")
The problem with this solution is that the AWS lambda fails and then the execution is marked as a failed execution and not as a successful execution of the lambda.此解决方案的问题在于 AWS lambda 失败,然后执行被标记为失败的执行,而不是 lambda 的成功执行。 Is there any way to return 401 without failing the lambda ?
有什么方法可以在不使 lambda 失败的情况下返回 401 吗?
Also tried the following like in lambda integration but didn't work:在 lambda 集成中也尝试了以下操作,但没有奏效:
return {"statusCode": 401, "body" : "Unauthorized"}
It really is ugly, but that's the only way to truly signal a 401, which means "I can't find your Authorization header or cookie or nothing, you have to authenticate to do that".这真的很难看,但这是真正发出 401 信号的唯一方法,这意味着“我找不到您的授权标头或 cookie 或什么都没有,您必须进行身份验证才能做到这一点”。 A 403 is an explicit 👎 saying "I know who you are, you're Forbidden from doing that".
403 是一个明确的 👎 说“我知道你是谁,你被禁止这样做”。 It's an odd, ternary response that API Gateway needs here: 👍/👎/🤷, and this "throw a very specific exception" is one way to do it.
API Gateway 在这里需要一个奇怪的三元响应:👍/👎/🤷,“抛出一个非常具体的异常”是一种方法。
So you can't customize the response with the authorizer lambda;因此,您无法使用授权方 lambda 自定义响应; you can only give a response document that says yay/nay, or throw your hands up and signal "I can't find any authentication material here".
你只能给出一个回应文件,说是/不,或者举起你的手并表示“我在这里找不到任何认证材料”。 To customize the shape of that response to a client, you would use Gateway Responses .
要自定义对客户端的响应的形状,您可以使用Gateway Responses 。 With this, you can customize the shape of the json (or whatever content-type, really) of your 401/403 responses.
有了这个,您可以自定义 401/403 响应的 json(或任何内容类型,实际上)的形状。
Now, with respect to raise Exception("Unauthorized")
polluting your metrics, making ambiguous real errors vs this expected error, I agree, it kinda stinks.现在,关于
raise Exception("Unauthorized")
污染您的指标,使实际错误与此预期错误产生歧义,我同意,这有点糟糕。 My only recommendation would be to log something ERROR level that you set up a Metric Filter to watch out for, and use that as your true "something's gone wrong" metric.我唯一的建议是记录一些您设置了指标过滤器来注意的 ERROR 级别,并将其用作您真正的“出现问题”指标。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.