AWS API Gateway: How to pass IAM identity to Lambda function?

aws-lambda aws-api-gateway amazon-iam
13,242

Support for accessing identity and other information from the Amazon API Gateway request context hadn't been available when you posted the question, but recently been added, see Announcement: Context Variables:

You can now access context variables from within mapping templates to retrieve contextual information about the API call. You can access data such as stage, resource path, and HTTP method, as well as information about the identity of the caller. This information can then be passed along to your backend integration using the $context variable. [emphasis mine]

The referenced documentation on Accessing the $context Variable features a $context Variable Reference and there are various $context.identity.* parameters that should address your use case.

Cognito Identity

As outlined in Soenke's answer to the OPs similar question in the Amazon API Gateway forum, there is an as of yet undocumented integration parameter that results in the Cognito identifier being included in this $context.identity.* context variables:

in order to have the Cognito (not IAM!) IdentityId and IdentityPoolId available in Lambda, you have to enable "Invoke with caller credentials" on the API Gateway "Integration Request" page of the API GW Resource. This results in a new context struct "identity" (containing "cognitoIdentityId" and "cognitoIdentityPoolId" being passed to the Lambda function).

Share:
13,242

Related videos on Youtube

AlexeyVMP
Author by

AlexeyVMP

Updated on June 04, 2022

Comments

  • AlexeyVMP
    AlexeyVMP almost 2 years

    I've successfully configured IAM-authenticated access to my Lambda function with AWS API Gateway front-end, but unable to find how to pass IAM user identity to my Lambda function.

    I need exactly IAM user identity and can not run Lambda function under calling IAM-user credentials. All I need - is to get calling IAM-user identity in my Lambda function.

    Is there option for that?

  • AlexeyVMP
    AlexeyVMP over 8 years
    None of the new variables provides Cognito user identifier
  • Steffen Opel
    Steffen Opel over 8 years
    @AlexeyVMP - sorry, but your question did not mention that you are looking for the the Cognito user identifier, you only asked how to pass IAM user identity. That being said, I have now added Soenke's resp. answer to your similar API Gateway forum post, which you already dismissed in the subsequent post as non applicable though - I'm not quite sure I can follow what you are after there, either way I'm not aware of any other method to get the Cognito identifier handed over to you directly, and how to retrieve it yourself has already been answered by napalm's comment.
  • Erik Sjölund
    Erik Sjölund about 8 years
    When I have "Invoke with caller credentials" unchecked, I am able to see the CognitoIdentityId inside the lambda function. To be able to do that I create an application/json mapping template: { "context.identity.cognitoIdentityId" : "$context.identity.cognitoIdentityId"} in the Integration Request section. After doing "Deploy API" I need to wait some extra seconds before trying to access my website. There is a few seconds delay before the "Deploy API" takes effect.
  • johnny
    johnny about 8 years
    Can we publish sns or send message to SQS from Lambda using the caller identity that came through Api gate way? In our case we receive a message and an array of queues in our lambda we will direct the message to the all queues, before sending message we would like to check if the gateway Api caller has access to the queues he just passed.
  • Balmipour
    Balmipour almost 8 years
    Trying to log my user IAM id here (so as to bill api calls for an SAAS service.). The best I managed to do for the moment is to rework the request body in the integration request, add a mapping template for the body, generate a basic "passthrough" code, and add a value "MyUserArn" : "$context.identity.userArn" in it. This fills the body with a large mess, and needs to enable full logging of my requests, for the simple purpose of identifying the caller account. Isn't there a better way ? At least, I'd like to just add my variable in a header, or QSParam. (I use a beanstalk, not lambda)
  • russau
    russau almost 8 years
    Getting account-id from the integration parameter seems of limited use at the moment - as API gateway doesn't support cross-account authentication. docs.aws.amazon.com/apigateway/latest/developerguide/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invoke an AWS lambda across regions
Invoking AWS Step function from Lambda in python
Increase maximum POST size for Amazon API Gateway
AWS Lambda Function is misinterpreting event dictionary in python?
API Gateway Static IP Address
How to correctly call queryStringParameters for AWS Lambda + API Gateway?
How to get validate Cognito Access Token in AWS Lambda to allow Gateway API call?
API Gateway + Lambda download CSV file
Lambda return only 200 respose code
How do I return errors on an AWS Lambda function written in Node.js through the AWS API Gateway using the Serverless framework?