feat(apigatewayv2): add role support for lambda authorizers

Author: eliasbrange

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-authorizers/test/http/integ.lambda.js.snapshot/AuthorizerInteg.template.json

@@ -53,6 +53,23 @@
     "authfunctionServiceRoleFCB72198"
    ]
   },
+  "AuthRole900B840B": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "apigateway.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "MyHttpApi8AEAAC21": {
    "Type": "AWS::ApiGatewayV2::Api",
    "Properties": {
@@ -153,6 +170,12 @@
     "ApiId": {
      "Ref": "MyHttpApi8AEAAC21"
     },
+    "AuthorizerCredentialsArn": {
+     "Fn::GetAtt": [
+      "AuthRole900B840B",
+      "Arn"
+     ]
+    },
     "AuthorizerPayloadFormatVersion": "2.0",
     "AuthorizerResultTtlInSeconds": 300,
     "AuthorizerType": "REQUEST",

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-authorizers/test/http/integ.lambda.ts

@@ -4,6 +4,7 @@ import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { App, Stack, CfnOutput } from 'aws-cdk-lib';
 import { HttpLambdaAuthorizer, HttpLambdaResponseType } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
+import { Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 
 /*
  * Stack verification steps:
@@ -25,10 +26,15 @@ const authHandler = new lambda.Function(stack, 'auth-function', {
   code: lambda.Code.fromAsset(path.join(__dirname, '..', 'auth-handler'), { exclude: ['*.ts'] }),
 });
 
+const authRole = new Role(stack, 'AuthRole', {
+  assumedBy: new ServicePrincipal('apigateway.amazonaws.com'),
+});
+
 const authorizer = new HttpLambdaAuthorizer('LambdaAuthorizer', authHandler, {
   authorizerName: 'my-simple-authorizer',
   identitySource: ['$request.header.X-API-Key'],
   responseTypes: [HttpLambdaResponseType.SIMPLE],
+  role: authRole,
 });
 
 const defaultAuthorizer = new HttpLambdaAuthorizer('LambdaDefaultAuthorizer', authHandler, {

packages/aws-cdk-lib/aws-apigatewayv2-authorizers/README.md

@@ -167,6 +167,7 @@ Lambda authorizers use a Lambda function to control access to your HTTP API. Whe
 
 Lambda authorizers depending on their response, fall into either two types - Simple or IAM. You can learn about differences [here](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.payload-format-response).
 
+If the Lambda function is in another account, you need to provide an IAM role to the authorizer that has permission to invoke the Lambda function.
 
 ```ts
 import { HttpLambdaAuthorizer, HttpLambdaResponseType } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';

packages/aws-cdk-lib/aws-apigatewayv2-authorizers/lib/http/lambda.ts

@@ -7,7 +7,7 @@ import {
   AuthorizerPayloadVersion,
   IHttpApi,
 } from '../../../aws-apigatewayv2';
-import { ServicePrincipal } from '../../../aws-iam';
+import { ServicePrincipal, IRole } from '../../../aws-iam';
 import { IFunction } from '../../../aws-lambda';
 import { Stack, Duration, Names } from '../../../core';
 import { UnscopedValidationError, ValidationError } from '../../../core/lib/errors';
@@ -60,6 +60,15 @@ export interface HttpLambdaAuthorizerProps {
    * @default [HttpLambdaResponseType.IAM]
    */
   readonly responseTypes?: HttpLambdaResponseType[];
+
+  /**
+   * The IAM role that the API Gateway service assumes while invoking the authorizer.
+   *
+   * Supported only for REQUEST authorizers.
+   *
+   * @default - No role
+   */
+  readonly role?: IRole;
 }
 
 /**
@@ -119,6 +128,7 @@ export class HttpLambdaAuthorizer implements IHttpRouteAuthorizer {
         payloadFormatVersion: enableSimpleResponses ? AuthorizerPayloadVersion.VERSION_2_0 : AuthorizerPayloadVersion.VERSION_1_0,
         authorizerUri: lambdaAuthorizerArn(this.handler),
         resultsCacheTtl: this.props.resultsCacheTtl ?? Duration.minutes(5),
+        role: this.props.role,
       });
 
       this.handler.addPermission(`${Names.nodeUniqueId(this.authorizer.node)}-Permission`, {

packages/aws-cdk-lib/aws-apigatewayv2-authorizers/test/http/lambda.test.ts

@@ -3,6 +3,7 @@ import { DummyRouteIntegration } from './integration';
 import { Duration, Stack } from '../../..';
 import { Match, Template } from '../../../assertions';
 import { HttpApi } from '../../../aws-apigatewayv2';
+import { Role, ServicePrincipal } from '../../../aws-iam';
 import { Code, Function } from '../../../aws-lambda';
 import * as lambda from '../../../aws-lambda';
 
@@ -36,6 +37,7 @@ describe('HttpLambdaAuthorizer', () => {
       IdentitySource: [
         '$request.header.Authorization',
       ],
+      AuthorizerCredentialsArn: Match.absent(),
     });
 
     Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Route', {
@@ -200,4 +202,41 @@ describe('HttpLambdaAuthorizer', () => {
     // THEN
     expect(t).toThrow(Error);
   });
+
+  test('should use role when role is provided', () => {
+    // GIVEN
+    const stack = new Stack();
+    const api = new HttpApi(stack, 'HttpApi');
+    const role = new Role(stack, 'Role', { assumedBy: new ServicePrincipal('apigateway.amazonaws.com') });
+
+    const handler = new Function(stack, 'auth-function', {
+      runtime: lambda.Runtime.NODEJS_LATEST,
+      code: Code.fromInline('exports.handler = () => {return true}'),
+      handler: 'index.handler',
+    });
+
+    const authorizer = new HttpLambdaAuthorizer('BooksAuthorizer', handler, {
+      responseTypes: [HttpLambdaResponseType.SIMPLE],
+      role,
+    });
+
+    // WHEN
+    api.addRoutes({
+      integration: new DummyRouteIntegration(),
+      path: '/books',
+      authorizer,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Authorizer', {
+      AuthorizerPayloadFormatVersion: '2.0',
+      EnableSimpleResponses: true,
+      AuthorizerCredentialsArn: {
+        'Fn::GetAtt': [
+          'Role1ABCC5F0',
+          'Arn',
+        ],
+      },
+    });
+  });
 });

packages/aws-cdk-lib/aws-apigatewayv2/lib/http/authorizer.ts

@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { IHttpApi } from './api';
 import { IHttpRoute } from './route';
 import { CfnAuthorizer } from '.././index';
+import { IRole } from '../../../aws-iam';
 import { Duration, Resource } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata } from '../../../core/lib/metadata-resource';
@@ -104,6 +105,15 @@ export interface HttpAuthorizerProps {
    * @default - API Gateway will not cache authorizer responses
    */
   readonly resultsCacheTtl?: Duration;
+
+  /**
+   * The IAM role that the API Gateway service assumes while invoking the authorizer.
+   *
+   * Supported only for REQUEST authorizers.
+   *
+   * @default - No role
+   */
+  readonly role?: IRole;
 }
 
 /**
@@ -178,6 +188,10 @@ export class HttpAuthorizer extends Resource implements IHttpAuthorizer {
       throw new ValidationError('authorizerUri is mandatory for Lambda authorizers', scope);
     }
 
+    if (props.type !== HttpAuthorizerType.LAMBDA && props.role) {
+      throw new ValidationError('role is supported only for Lambda authorizers', scope);
+    }
+
     /**
      * This check is required because Cloudformation will fail stack creation if this property
      * is set for the JWT authorizer. AuthorizerPayloadFormatVersion can only be set for REQUEST authorizer
@@ -199,6 +213,7 @@ export class HttpAuthorizer extends Resource implements IHttpAuthorizer {
       authorizerPayloadFormatVersion,
       authorizerUri: props.authorizerUri,
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+      authorizerCredentialsArn: props.role?.roleArn,
     });
 
     this.authorizerId = resource.ref;