Authorizer

Manages an Amazon API Gateway Version 2 authorizer. More information can be found in the Amazon API Gateway Developer Guide.

Example Usage

Basic WebSocket API

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.ApiGatewayV2.Authorizer("example", new Aws.ApiGatewayV2.AuthorizerArgs
        {
            ApiId = aws_apigatewayv2_api.Example.Id,
            AuthorizerType = "REQUEST",
            AuthorizerUri = aws_lambda_function.Example.Invoke_arn,
            IdentitySources = 
            {
                "route.request.header.Auth",
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/apigatewayv2"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := apigatewayv2.NewAuthorizer(ctx, "example", &apigatewayv2.AuthorizerArgs{
            ApiId:          pulumi.String(aws_apigatewayv2_api.Example.Id),
            AuthorizerType: pulumi.String("REQUEST"),
            AuthorizerUri:  pulumi.String(aws_lambda_function.Example.Invoke_arn),
            IdentitySources: pulumi.StringArray{
                pulumi.String("route.request.header.Auth"),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example = aws.apigatewayv2.Authorizer("example",
    api_id=aws_apigatewayv2_api["example"]["id"],
    authorizer_type="REQUEST",
    authorizer_uri=aws_lambda_function["example"]["invoke_arn"],
    identity_sources=["route.request.header.Auth"])

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.apigatewayv2.Authorizer("example", {
    apiId: aws_apigatewayv2_api_example.id,
    authorizerType: "REQUEST",
    authorizerUri: aws_lambda_function_example.invokeArn,
    identitySources: ["route.request.header.Auth"],
});

Basic HTTP API

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.ApiGatewayV2.Authorizer("example", new Aws.ApiGatewayV2.AuthorizerArgs
        {
            ApiId = aws_apigatewayv2_api.Example.Id,
            AuthorizerType = "JWT",
            IdentitySources = 
            {
                "$request.header.Authorization",
            },
            JwtConfiguration = new Aws.ApiGatewayV2.Inputs.AuthorizerJwtConfigurationArgs
            {
                Audiences = 
                {
                    "example",
                },
                Issuer = $"https://{aws_cognito_user_pool.Example.Endpoint}",
            },
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/apigatewayv2"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := apigatewayv2.NewAuthorizer(ctx, "example", &apigatewayv2.AuthorizerArgs{
            ApiId:          pulumi.String(aws_apigatewayv2_api.Example.Id),
            AuthorizerType: pulumi.String("JWT"),
            IdentitySources: pulumi.StringArray{
                pulumi.String(fmt.Sprintf("%v%v", "$", "request.header.Authorization")),
            },
            JwtConfiguration: &apigatewayv2.AuthorizerJwtConfigurationArgs{
                Audiences: pulumi.StringArray{
                    pulumi.String("example"),
                },
                Issuer: pulumi.String(fmt.Sprintf("%v%v", "https://", aws_cognito_user_pool.Example.Endpoint)),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example = aws.apigatewayv2.Authorizer("example",
    api_id=aws_apigatewayv2_api["example"]["id"],
    authorizer_type="JWT",
    identity_sources=["$request.header.Authorization"],
    jwt_configuration={
        "audiences": ["example"],
        "issuer": f"https://{aws_cognito_user_pool['example']['endpoint']}",
    })

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.apigatewayv2.Authorizer("example", {
    apiId: aws_apigatewayv2_api_example.id,
    authorizerType: "JWT",
    identitySources: ["$request.header.Authorization"],
    jwtConfiguration: {
        audiences: ["example"],
        issuer: pulumi.interpolate`https://${aws_cognito_user_pool_example.endpoint}`,
    },
});

Create a Authorizer Resource

new Authorizer(name: string, args: AuthorizerArgs, opts?: CustomResourceOptions);

def Authorizer(resource_name, opts=None, api_id=None, authorizer_credentials_arn=None, authorizer_type=None, authorizer_uri=None, identity_sources=None, jwt_configuration=None, name=None, __props__=None);

func NewAuthorizer(ctx *Context, name string, args AuthorizerArgs, opts ...ResourceOption) (*Authorizer, error)

public Authorizer(string name, AuthorizerArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AuthorizerArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthorizerArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthorizerArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Authorizer Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Authorizer resource accepts the following input properties:

ApiId string: The API identifier.
AuthorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
IdentitySources List<string>: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
AuthorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
AuthorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
JwtConfiguration AuthorizerJwtConfigurationArgs: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
Name string: The name of the authorizer.

ApiId string: The API identifier.
AuthorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
IdentitySources []string: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
AuthorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
AuthorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
JwtConfiguration AuthorizerJwtConfiguration: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
Name string: The name of the authorizer.

apiId string: The API identifier.
authorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
identitySources string[]: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
authorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
authorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
jwtConfiguration AuthorizerJwtConfiguration: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
name string: The name of the authorizer.

api_id str: The API identifier.
authorizer_type str: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
identity_sources List[str]: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
authorizer_credentials_arn str: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
authorizer_uri str: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
jwt_configuration Dict[AuthorizerJwtConfiguration]: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
name str: The name of the authorizer.

Outputs

All input properties are implicitly available as output properties. Additionally, the Authorizer resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing Authorizer Resource

Get an existing Authorizer resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthorizerState, opts?: CustomResourceOptions): Authorizer

static get(resource_name, id, opts=None, api_id=None, authorizer_credentials_arn=None, authorizer_type=None, authorizer_uri=None, identity_sources=None, jwt_configuration=None, name=None, __props__=None);

func GetAuthorizer(ctx *Context, name string, id IDInput, state *AuthorizerState, opts ...ResourceOption) (*Authorizer, error)

public static Authorizer Get(string name, Input<string> id, AuthorizerState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ApiId string: The API identifier.
AuthorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
AuthorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
AuthorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
IdentitySources List<string>: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
JwtConfiguration AuthorizerJwtConfigurationArgs: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
Name string: The name of the authorizer.

ApiId string: The API identifier.
AuthorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
AuthorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
AuthorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
IdentitySources []string: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
JwtConfiguration AuthorizerJwtConfiguration: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
Name string: The name of the authorizer.

apiId string: The API identifier.
authorizerCredentialsArn string: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
authorizerType string: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
authorizerUri string: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
identitySources string[]: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
jwtConfiguration AuthorizerJwtConfiguration: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
name string: The name of the authorizer.

api_id str: The API identifier.
authorizer_credentials_arn str: The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for REQUEST authorizers.
authorizer_type str: The authorizer type. Valid values: JWT, REQUEST. For WebSocket APIs, specify REQUEST for a Lambda function using incoming request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.
authorizer_uri str: The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws.lambda.Function resource. Supported only for REQUEST authorizers.
identity_sources List[str]: The identity sources for which authorization is requested. For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters. For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
jwt_configuration Dict[AuthorizerJwtConfiguration]: The configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs.
name str: The name of the authorizer.

Supporting Types

AuthorizerJwtConfiguration

See the input and output API doc for this type.

Audiences List<string>: A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list.
Issuer string: The base domain of the identity provider that issues JSON Web Tokens, such as the endpoint attribute of the aws.cognito.UserPool resource.

Audiences []string: A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list.
Issuer string: The base domain of the identity provider that issues JSON Web Tokens, such as the endpoint attribute of the aws.cognito.UserPool resource.

audiences string[]: A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list.
issuer string: The base domain of the identity provider that issues JSON Web Tokens, such as the endpoint attribute of the aws.cognito.UserPool resource.

audiences List[str]: A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list.
issuer str: The base domain of the identity provider that issues JSON Web Tokens, such as the endpoint attribute of the aws.cognito.UserPool resource.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud