Authenticating AWS Lambda Function to a PHP script

Question

I have a php webapp with the following structure:

app
├── user
└── jobs
    ├─ task1.php
    └─ task2.php

The tasks scripts inside the jobs folder can be executed by the users through the web browser. To secure these scripts a session based authentication is implemented in each script.

To automate the execution of these tasks a AWS Lambda function is implemented which calls these scripts through HTTP using their URLs (ie https://www.domaine.com/jobs/task1.php ).

The probleme is that this Lambda function also need to be authenticated. The implementation I have in mind is to use some service in AWS that allows you to generate a Token as follows:

1. Lambda: Generate a token using AWS Service
2. Lambda: Call the task.php script using the Token
3. Task.php: Verify the token using the AWS Service
4. Task.php: Continue executing the requested Task

Is there a better way to authenticate the Lambda calls? If not is there a way to implement the previous mecanism?

Answer 1

Verification (point 3.) suggest that you do not want to use API Keys that would the simplest way to secure task calls.

Another solution would be to use JWT with a shared secret - Lambda is created JWT token with secret and PHP script task*.php would verify that token with the same secret. It would not require a back trip to verify token to Lambda.

Edit : based on your explanation of the requirement...

If PHP does not want to be aware of the secret with which token could be verified, natural would be to call (suggest separate) Lambda that shares (via ENV variable) secret that was used to create JWT token and would be able to verify (Yea/Nea) using standard JWT library.

Like you see it creates more complexity than just PHP share secret.

However, if you do not want to manage any secrets (in PHP and/or Lambda) passing tokens that are not verifiable it seems pointless (just art for the art of having token).