By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway IAM_AUTH role identification

0

Hello I have the following scenario

callee (with IAM_Role) -> API Gateway -> Downstream app.

API Gateway will check the resource policy when IAM_AUTH is enabled to make sure that the role is valid. However, the customer wants to do a secondary check on the downstream app for an end to end validation so it needs to know the IAM role used for the original request to the API Gateway. Is there a way to do this?

For example server-a with role-a calls API Gateway with a request. API Gateway validates it's resource policy that role is allowed to make that call. Server-b downstream gets the request from API Gateway and also does a secondary check to have additional logic to check what role-a can do at an application level. Is there a way to pull that role from API Gateway in a timely fashion?

Something in the header preferably such as the role name or role ID. The original request is sigv4 signed. Cloudwatch logs would be too delayed.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
AWS-User-1680381
asked 5 years ago766 views
1 Answer
0
Accepted Answer

$context.identity.userArn or $context.identity.user should have what you want

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference

These are available in Lambda Proxy requests (which have all context by default), and are also available in mapping templates if you use non-proxy integration.

AWS-User-3193127
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content