AWS cross-account authorizer
Introduction:
In https://www.chaiandwine.info/2021/03/creating-net-lambda-authorizer-for-aws.html post, we have seen the basics of authorizer and how to create an Authorizer. If you haven't read this link, I would recommend doing so before reading further.
Usually, in organizations, they will use a common and unified Authorizer to use the same Authorizer instead of each microservices creating their own authorizer. This post will explain how to create a common authorizer in an AWS account and use it for another account. The second will have an API Gateway configured and use the First account's Authorizer.
Steps to implement cross-account authorizer:
a. Create a .Net Core authorizer in Visual Studio as in https://www.chaiandwine.info/2021/03/creating-net-lambda-authorizer-for-aws.html.
b. Next, deploy this Authorizer in the First AWS account. For the steps to deploy an Authorizer, refer to this link:
c. In the second account, create an API in the API Gateway. Navigate to API Gateway service in AWS web console, and click 'Build' for Rest API. Click on 'Create API'.
d. Navigate to the Authorizer in the left panel. Provide a name for the Authorizer. For the Lambda function, provide an ARN of the Lambda that you created in the First account. To know how to get the ARN of the Lambda, check the next step.
f. Going back to step d, click on Create button. It will show the below screen.
g. What it says is that we need to add "Invoke" permission to the authorizer Lambda which we had created in the first account. To add permission, we need to execute the above command in the First account AWS CloudShell. But, it uses a macro - AUTHORIZER_ID. We cannot run this command with the macro; we need to find this macro's value and replace it. Copy this command to Notepad, and replace the AUTHORIZER_ID.
aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:<first_account_number>:function:BlogAuth" --source-arn "arn:aws:execute-api:us-east-2:<second_account_number>:og9l0ae354/authorizers/AUTHORIZER_ID" --principal apigateway.amazonaws.com --statement-id xxxxxxxxxxxxxxxxxx --action lambda:InvokeFunction
h. To know the AUTHORIZER_ID, we need to run the below command in the AWS CloudShell:
aws apigateway get-authorizers --rest-api-id <APIGatewayID> --region us-east-2
Note: please use the region you have selected.
i. The API Gateway ID will be available in the above command in step g.
arn:aws:execute-api:us-east-2:<second_account_number>:og9l0ae354/authorizers/AUTHORIZER_ID
j. Hence, I need to run 'aws apigateway get-authorizers --rest-api-id og9l0ae354 --region us-east-2' in the AWS Cloudshell in the second account (where are configuring API Gateway).
I will output as below:
[cloudshell-user@ip-10-0-186-189 ~]$ aws apigateway get-authorizers --rest-api-id og9l0ae354 --region us-east-2
{
"items": [
{
"id": "nzocpg",
"name": "AnotherAccountAuthorizer",
"type": "REQUEST",
"authType": "custom",
"authorizerUri": "arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-2:xxxxxxxxxxxx:function:BlogAuth/invocations",
"identitySource": "method.request.header.userName,method.request.header.passWord",
"authorizerResultTtlInSeconds": 300
}
]
}
"id": "nzocpg" is the Authorizer ID.
k. replace the AUTHORIZER_ID with nzocpg and run this command in the first account, which has the Lambda Authorizer.
aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:<first_account_number>:function:BlogAuth" --source-arn "arn:aws:execute-api:us-east-2:<second_account_number>:og9l0ae354/authorizers/nzocpg" --principal apigateway.amazonaws.com --statement-id xxxxxxxxxxxxxxxxxx --action lambda:InvokeFunction
The Invoke permission for the Authorizer Lambda is added, and we can use the Authorizer in our second account.
Happy Coding!