Kit Wai Chan - Fotolia


Amazon API Gateway authentication allows for customization

By introducing custom authentication for the Amazon API Gateway, AWS gave developers some unique options, and AWS Lambda sweetens the pot with VPC access.

Updated custom Amazon API Gateway authentication makes it easy to create specific APIs with microservices -- all authenticated under a single basic system.

Combined with AWS Lambda access for Virtual Private Cloud, custom authentication gives developers some unique options.

Let's dive into how to set up AWS API Gateway authentication.

The first step is to create a login handler, which connects to a private Memcached server cluster. Memcached is an open source, in-memory, object caching engine on which certain AWS products rely.

The system can enable faster caching than traditional disk-based methods.

To create the handler, you must first create an Amazon IAM role with a managed policy called "AWSLambdaVPCAccessExecutionRole." Be sure to create an AWS Lambda security group and grant access to the Memcached servers for that security group.

Then create at least two new subnets for the Lambda functions to use, and make sure they're behind a Network Address Translation.

Once that is set up, it's time to create the Lambda function and connect it to a login route. That step would look like this:

function loginHandler(event, context){

checkUserCredentials(event, function(user){


memcached.set(event.sessionId + ‘.user',

JSON.stringify(user), sessionTimeoutLength,


context.done(null, user);



} else {‘Unauthorized');




Next, hook up the POST or login resource to the login handler. In the Amazon API Gateway console, create a login resource and add a POST method.

Amazon API Gateway console
Caption: Figure 1. Users choose an integration type within the Amazon API Gateway console.

Create the Lambda authorization function

The next step is to create a Lambda function that responds to authorization requests from the API Gateway. Any method will work, as long as it relies on a single HTTP header coming in from the user. This acts as the authorization functionality, which means a separate function may need to be set up to handle the API Gateway authentication, such as taking a username/password combination and converting that into a token to use for authorization.

When an end user hits this custom authorizer, the Lambda function can connect to Memcached and determine if the session has a user associated with it. If so, the Lambda function will return the user ID in the API Gateway response. The function will look like this:

function memcachedHandler(event, context){

var cookies = parseCookies(event.authorizationToken);

memcached.get(cookies.sessionID + ‘.user', function(err, user){


user = JSON.parse(user);

// Return a successful Policy Document

var policyDocument = {};

policyDocument.Version = '2012-10-17'; // default version

policyDocument.Statement = [];

var statementOne = {};

statementOne.Action = 'execute-api:Invoke'; // default action

statementOne.Effect = ‘Allow';

statementOne.Resource = event.methodArn;

policyDocument.Statement[0] = statementOne;

authResponse.policyDocument = policyDocument;




policyDocument: policyDocument,


} else {‘No Session Found');




Set up the custom API Gateway authorization connection

Next, we must configure the connection to the AWS Lambda function in API Gateway. Under "Resources" choose "Custom Authorizers," then fill out the details to create a new custom authorizer.

Amazon API Gateway console
Caption: Figure 2. An AWS user can establish the connection to the Lambda function using the resources tab.

This will allow the API Gateway to use a session token to fetch information about the logged-in user; it will verify the user has permission to access the API. The Lambda function could also check permissions of that user to make ensure he is allowed to access the API specified by "event.methodArn."

The authorizer code allows the user to specify a time for which the authentication is valid -- setting this to zero means "do not cache."

Create serverless sessions using JWT

IT teams might want to avoid Memcached entirely if they want to handle high volumes of traffic without having to worry about scaling servers. An alternative solution is to use JSON Web Tokens (JWT), which allow services to store all required user data on the user's browser. JWT creates a signature to ensure updates only come from trusted sources, which prevents users from manipulating that data.

I've created a basic Lambda-JWT authorizer. Setup is simple -- as long as Node is installed -- just like with any other Node.js-backed application. From there, run this function:

npm install && grunt deploy —account-id=<your AWS Account ID>

This should provide you with a Lambda function that can act as a JWT authorizer.

Choosing an AWS authentication method

VPC support in Lambda means developers can access traditional resources; however, that may not always be the best method. Memcached may be familiar for developers, but modern methods, such as JWT or other stateless authentication mechanisms, might be better options. Whichever method is preferred, Lambda with VPC access will support it.

Next Steps

APIs fit into microservices designs

Amazon API Gateway competes against third-party market

Protect serverless apps with AWS authentication

Dig Deeper on AWS security