Amazon API Gateway can leverage an AWS Lambda function to make authorization decisions.
In order to support bearer tokens, such as JWT tokens, you can use custom authorizers. When configured with a custom authorizer, API Gateway invokes a Lambda function with the request token and context. The Lambda custom authorizer must return a policy that API Gateway can use to make the authorization decision for the entire API, not just the specific method that was called
You can also return a set of key/value pairs that are appended to the request context values.
The code for our custom authorizer is in the ListUnicornAuthorizer folder, open the folder and take a look at the index.js file to get an idea of how our custom authorizer works.
To authorize access to our new list rides API we rely on a custom scope called UnicornManager/unicorn - this scope is automatically added to client tokens produced by the Unicorn Manager application.
Step 1: Download ListUnicornAuthorizer.zipListUnicornAuthorizer
Step 2: Go to AWS Lambda Console
Step 3: Choose Create Function
Step 4: Click the Author from scratch button at the top of the blueprint list
Step 5: Enter ListUnicornAuthorizer in the Name field
Step 6: Choose WildRydesLambda from the existing role
Step 7: Select Python 3.8 for the Runtime
You need to attach DynamoDBRead Policy for this role, go back to Attach Policy for detail instructions
Step 8: Click Create Function
Step 9: Change the Code Entry type to Upload a .ZIP file
Step 10: Click the Upload button and select the ListUnicornAuthorizer.zip file in the current module folder.
Step 11: Expand the Environment variables section and declare a new variable called USER_POOL_ID.
The value for the variable is the Pool Id for the WildRydes user pool, you can find the value in the Cognito console.