How to restrict data requested/returned from API Gateway/Lambda

Hi, I'm building an API that returns order details, which are json files stored in S3. The API will be used my multiple customers but each customer should only get access to orders created on their customer id(s).

What is the best architecture to acheive this?

Now API Gateway calls invokes a Lambda that fetches the order file from S3, without any added restrictions. Can the user somehow have an array of customer id's to check against?

I assume I also would need some kind of index on S3 if one customer would like all their orders. I cannot fetch all files from S3 and then start filtering in Lambda...

Topics

Serverless Compute Front-End Web & Mobile Networking & Content Delivery

Tags

AWS Lambda Amazon API Gateway

Language

English

perage

asked 7 months ago167 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

If you want to use S3, I think you can store orders that belong to a customer in a folder based on customer ID. e.g.,

your-bucket/
  customer1/
    order1.json
    order2.json
  customer2/
    order3.json

and run ListBucket('your-bucket', 'customer1') to get all orders for a specific customer.

However, if possible, I would prefer store order data in NoSQL database (e.g., DynamoDB) with the customer ID set as a primary key.

answered 7 months ago

perage
7 months ago
Thanks - that's a good idea. However - how do I link the caller with the customer Id's?

7 months ago

Generally, a customer ID should be able to retrieved from its authentication token. For example, if you use Congito User Pool as an user authentication service, you should decode the request sender's ID token which can be retrieved from Lambda input context.identity.cognitoIdentityId. The decoded ID token should look like this:

{
  "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "cognito:groups": ["my-test-group"],
  "email_verified": true,
  "cognito:preferred_role": "arn:aws:iam::111122223333:role/my-test-role",
  "iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_example",
  "cognito:username": "my-test-user",
  "middle_name": "Jane",
  "nonce": "abcdefg",
  "origin_jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "cognito:roles": ["arn:aws:iam::111122223333:role/my-test-role"],
  "aud": "xxxxxxxxxxxxexample",
  "event_id": "64f513be-32db-42b0-b78e-b02127b4f463",
  "token_use": "id",
  "auth_time": 1676312777,
  "exp": 1676316377,
  "iat": 1676312777,
  "jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "email": "my-test-user@example.com",
  "custom:customer_id": "customer1"
}

Then you can decide that the authenticated request sender has the customer ID customer1.

Relevant content

Return a custom header from lambda authorizer in API-gateway (HTTP api)
Tom
asked 2 years ago
Return proper JSON validation errors from API Gateway Response
Accepted Answer
adear11
asked 2 years ago
Read data from S3 Data Lake & enrich the data through API
Sharad Agarwal
asked 7 months ago
API Gateway/Cloudfront redirects folder access from express app which will return the index.html
Accepted Answer
neonguru
asked 2 years ago
Why was the wrong certificate returned when invoking my API Gateway custom domain name?
AWS OFFICIALUpdated a year ago
How do I authorize access to API Gateway APIs using custom scopes in Amazon Cognito?
AWS OFFICIALUpdated a year ago
Why isn't my CloudWatch GetMetricStatistics API call returning data points?
AWS OFFICIALUpdated a year ago
How do I set up an API Gateway API to handle binary data using a Lambda proxy integration?
AWS OFFICIALUpdated 3 years ago
Private, cross-account GraphQL APIs with AppSync Merged APIs
EXPERT
Antonio_Lagrotteria
published a year ago
Using Code Capture to decipher VMware vCenter APIs
EXPERT
Patrick Kremer
published a year ago