By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to know if my Lambda Authorizer for API Gateway is caching results?

0

I have a Lambda Authorizer for an API Gateway API with one resource and three methods - PUT / GET / DELETE.

Each method uses the same Lambda Authorizer, the TOKEN kind, to verify a JWT from Cognito. An IAM policy is returned by the Lambda which allows PUT / GET / DELETE actions on the resource.

The authorization and policy work fine -- I just don't know if the result is being cached by API Gateway.

When I look at the API Gateway execution logs, every request seems to be calling the Lambda Authorizer. Every API Gateway execution log has a line like this:

Sending request to https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MY_LAMBDA_FUNCTION:prod/invocations

Does this invocation of the Lambda function mean that the Lambda Authorizer is not caching properly?

After the "Sending request" log line, there's a line like "Authorizer result body before parsing" and then this line:

Using valid authorizer policy for principal: *****user

Does this statement indicate that the Lambda Authorizer using a cached policy?

The strange thing is...when I check the Lambda logs, the execution times vary wildly, almost as if the Lambda itself is caching the result...but I think the caching happens on the API Gateway side? What's going on here?

Sample of Lambda duration times: 529ms, 10ms, 217ms, 213ms, 8ms, 2ms

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & ComplianceMicroservices
Tags
AWS LambdaAmazon API GatewayAmazon CognitoMicroservicesCaching
Language
English
profile picture
aaronmaxcarver
asked a year ago1671 views
2 Answers
1

Assuming that this is a REST API and a REQUEST type Lambda, the default cache key used for Lambda authorizers is the resource path.

On REQUEST type Lambda authorizers, you have the ability to define “identity sources” which are used to create the cache key.

When multiple identity sources are defined they are used in combination to create the cache key.

You can define the identity sources in the Lambda Event Payload (you can find this in the Edit Authorizer settings) in order to create a cache key based on the resource path as well as the value of the x-api-key header.

profile pictureAWS
Daniel ABIB
answered a year ago
0

To verify whether or not it's cached, output a message to the log (eg console.log("in authorizer")) inside your authorizer lambda function and then you'll know if it's being called or cached after you see how many times the message is in the authorizer log in CloudWatch.

harry
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content