# Secure Authorizer for Amazon API Gateway
This is a Lambda authorizer for [Amazon API Gateway](https://aws.amazon.com/api-gateway/) that provides secure API key validation using [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). This authorizer is compatible with [key rotation](https://github.com/efficient-solutions/amazon-cloudfront-api-key-rotator) through AWS Secrets Manager versioning, implements constant-time comparison to prevent timing attacks, and includes comprehensive logging for security monitoring.
## Features
- **AWS Secrets Manager Integration**: Securely retrieves API keys using AWS Secrets Manager
- **Key Rotation Compatibility**: Validates requests against both current and pending secret versions
- **Timing Attack Prevention**: Uses constant-time comparison for secure string matching
- **Comprehensive Logging**: Detailed logging for security monitoring and troubleshooting
## Installation
```bash
pip install amazon-api-gateway-secure-authorizer
```
## Configuration
### Environment Variables
- `SECRET_NAME`: The name or ARN of the secret in AWS Secrets Manager
- `SECRET_KEY_NAME`: The key name within the secret's JSON structure that contains the API key
- `HEADER_NAME`: (Optional) The name of the header containing the API key (default: "x-origin-verify")
### AWS Secrets Manager Setup
1. Create a new secret in AWS Secrets Manager with the following JSON structure:
```json
{
"your_key_name": "your-api-key-value"
}
```
2. Ensure your Lambda function has the following IAM permissions:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:region:account-id:secret:secret-name"
}
]
}
```
## Usage
### Lambda Handler
The Lambda function handler is located at:
```plaintext
secure_authorizer.authorizer.handler
```
### Example Event
```json
{
"headers": {
"x-origin-verify": "your-api-key-value"
}
}
```
### Deployment Steps
1. **Set up AWS Secrets Manager**:
- Create a new secret with your API key
- Note the secret name and key name for environment variables
2. **Configure Lambda Environment**:
```bash
SECRET_NAME="your-secret-name"
SECRET_KEY_NAME="your-key-name"
HEADER_NAME="x-origin-verify" # Optional, this is the default
```
3. **Deploy Lambda Function**:
- Set handler to `secure_authorizer.authorizer.handler`
- Configure IAM role with necessary Secrets Manager permissions
- Set memory and timeout appropriately (see Performance Recommendations)
4. **Configure API Gateway**:
- Create a Lambda authorizer
- Link it to your Lambda function
- Configure authorization caching (see Performance Recommendations)
### Key Rotation
This authorizer supports seamless [key rotation](https://github.com/efficient-solutions/amazon-cloudfront-api-key-rotator) using AWS Secrets Manager's versioning:
1. Create a new version of your secret in AWS Secrets Manager
2. The new version will be automatically available as 'AWSPENDING'
3. The authorizer will accept both current and pending versions during rotation
4. Once rotation is complete, the new version becomes 'AWSCURRENT'
## Performance Recommendations
- **Memory**: 512MB
- **Timeout**: 5 seconds
- **Architecture**: ARM64
- **Authorization Caching**: 300-3600 seconds based on your security requirements
## Security Features
- **Secure Secret Storage**: Utilizes AWS Secrets Manager for encrypted key storage
- **Key Rotation Support**: Enables zero-downtime key rotation
- **Constant-time Comparison**: Prevents timing attacks during API key validation
- **Detailed Security Logging**: Helps identify potential security issues
## Error Handling
The authorizer implements comprehensive error handling for various scenarios:
- Missing environment variables
- Invalid or missing headers
- Secrets Manager access issues
- JSON parsing errors
- API key validation failures
All errors are logged with appropriate detail levels while maintaining security.
## Logging
The authorizer provides detailed logging at different levels:
- INFO: Successful authorizations
- WARNING: Failed authorizations
- ERROR: Configuration issues, Secrets Manager errors
- DEBUG: Additional validation details
## Comparison with [Simple Authorizer](https://github.com/efficient-solutions/amazon-api-gateway-simple-authorizer)
Advantages over the simple authorizer:
- Secure secret storage in AWS Secrets Manager
- Support for key rotation
## License
This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
## Disclaimer
This software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term "AWS" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.
Raw data
{
"_id": null,
"home_page": "https://github.com/efficient-solutions/amazon-api-gateway-secure-authorizer",
"name": "amazon-api-gateway-secure-authorizer",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "Amazon API Gateway, Amazon CloudFront, AWS Lambda, AWS Secrets Manager",
"author": "Efficient Solutions LLC",
"author_email": "contact@efficient.solutions",
"download_url": "https://files.pythonhosted.org/packages/c3/37/4252746463bd65c429b695790da739a136b89dfc0d8141e504f0a872dc93/amazon-api-gateway-secure-authorizer-0.1.0.tar.gz",
"platform": null,
"description": "# Secure Authorizer for Amazon API Gateway\n\nThis is a Lambda authorizer for [Amazon API Gateway](https://aws.amazon.com/api-gateway/) that provides secure API key validation using [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). This authorizer is compatible with [key rotation](https://github.com/efficient-solutions/amazon-cloudfront-api-key-rotator) through AWS Secrets Manager versioning, implements constant-time comparison to prevent timing attacks, and includes comprehensive logging for security monitoring.\n\n## Features\n\n- **AWS Secrets Manager Integration**: Securely retrieves API keys using AWS Secrets Manager\n- **Key Rotation Compatibility**: Validates requests against both current and pending secret versions\n- **Timing Attack Prevention**: Uses constant-time comparison for secure string matching\n- **Comprehensive Logging**: Detailed logging for security monitoring and troubleshooting\n\n## Installation\n\n```bash\npip install amazon-api-gateway-secure-authorizer\n```\n\n## Configuration\n\n### Environment Variables\n\n- `SECRET_NAME`: The name or ARN of the secret in AWS Secrets Manager\n- `SECRET_KEY_NAME`: The key name within the secret's JSON structure that contains the API key\n- `HEADER_NAME`: (Optional) The name of the header containing the API key (default: \"x-origin-verify\")\n\n### AWS Secrets Manager Setup\n\n1. Create a new secret in AWS Secrets Manager with the following JSON structure:\n```json\n{\n \"your_key_name\": \"your-api-key-value\"\n}\n```\n\n2. Ensure your Lambda function has the following IAM permissions:\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"secretsmanager:GetSecretValue\"\n ],\n \"Resource\": \"arn:aws:secretsmanager:region:account-id:secret:secret-name\"\n }\n ]\n}\n```\n\n## Usage\n\n### Lambda Handler\n\nThe Lambda function handler is located at:\n```plaintext\nsecure_authorizer.authorizer.handler\n```\n\n### Example Event\n\n```json\n{\n \"headers\": {\n \"x-origin-verify\": \"your-api-key-value\"\n }\n}\n```\n\n### Deployment Steps\n\n1. **Set up AWS Secrets Manager**:\n - Create a new secret with your API key\n - Note the secret name and key name for environment variables\n\n2. **Configure Lambda Environment**:\n ```bash\n SECRET_NAME=\"your-secret-name\"\n SECRET_KEY_NAME=\"your-key-name\"\n HEADER_NAME=\"x-origin-verify\" # Optional, this is the default\n ```\n\n3. **Deploy Lambda Function**:\n - Set handler to `secure_authorizer.authorizer.handler`\n - Configure IAM role with necessary Secrets Manager permissions\n - Set memory and timeout appropriately (see Performance Recommendations)\n\n4. **Configure API Gateway**:\n - Create a Lambda authorizer\n - Link it to your Lambda function\n - Configure authorization caching (see Performance Recommendations)\n\n### Key Rotation\n\nThis authorizer supports seamless [key rotation](https://github.com/efficient-solutions/amazon-cloudfront-api-key-rotator) using AWS Secrets Manager's versioning:\n\n1. Create a new version of your secret in AWS Secrets Manager\n2. The new version will be automatically available as 'AWSPENDING'\n3. The authorizer will accept both current and pending versions during rotation\n4. Once rotation is complete, the new version becomes 'AWSCURRENT'\n\n## Performance Recommendations\n\n- **Memory**: 512MB\n- **Timeout**: 5 seconds\n- **Architecture**: ARM64\n- **Authorization Caching**: 300-3600 seconds based on your security requirements\n\n## Security Features\n\n- **Secure Secret Storage**: Utilizes AWS Secrets Manager for encrypted key storage\n- **Key Rotation Support**: Enables zero-downtime key rotation\n- **Constant-time Comparison**: Prevents timing attacks during API key validation\n- **Detailed Security Logging**: Helps identify potential security issues\n\n## Error Handling\n\nThe authorizer implements comprehensive error handling for various scenarios:\n\n- Missing environment variables\n- Invalid or missing headers\n- Secrets Manager access issues\n- JSON parsing errors\n- API key validation failures\n\nAll errors are logged with appropriate detail levels while maintaining security.\n\n## Logging\n\nThe authorizer provides detailed logging at different levels:\n\n- INFO: Successful authorizations\n- WARNING: Failed authorizations\n- ERROR: Configuration issues, Secrets Manager errors\n- DEBUG: Additional validation details\n\n## Comparison with [Simple Authorizer](https://github.com/efficient-solutions/amazon-api-gateway-simple-authorizer)\n\nAdvantages over the simple authorizer:\n\n- Secure secret storage in AWS Secrets Manager\n- Support for key rotation\n\n## License\n\nThis project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.\n\n## Disclaimer\n\nThis software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term \"AWS\" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Secure Lambda authorizer for HTTP API behind CloudFront",
"version": "0.1.0",
"project_urls": {
"Homepage": "https://github.com/efficient-solutions/amazon-api-gateway-secure-authorizer"
},
"split_keywords": [
"amazon api gateway",
" amazon cloudfront",
" aws lambda",
" aws secrets manager"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "47b47deb3ff2ca897b798cbe12210e8c38238ed206f1a7c82618537ace73e318",
"md5": "82382b8179aacb859cb4421122dbf05c",
"sha256": "55942e626796fc617fe694ab8bf60a880e95befc3681e45660f24af7738462e2"
},
"downloads": -1,
"filename": "amazon_api_gateway_secure_authorizer-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "82382b8179aacb859cb4421122dbf05c",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 7279,
"upload_time": "2024-10-22T02:39:59",
"upload_time_iso_8601": "2024-10-22T02:39:59.044766Z",
"url": "https://files.pythonhosted.org/packages/47/b4/7deb3ff2ca897b798cbe12210e8c38238ed206f1a7c82618537ace73e318/amazon_api_gateway_secure_authorizer-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "c3374252746463bd65c429b695790da739a136b89dfc0d8141e504f0a872dc93",
"md5": "f4614d2c0b02db3e6692c12036854d13",
"sha256": "3e53133a52bcf8a06407f0326eac8a5a3ec2533ddfa2d61d81531807076e484e"
},
"downloads": -1,
"filename": "amazon-api-gateway-secure-authorizer-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "f4614d2c0b02db3e6692c12036854d13",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 6473,
"upload_time": "2024-10-22T02:40:00",
"upload_time_iso_8601": "2024-10-22T02:40:00.845311Z",
"url": "https://files.pythonhosted.org/packages/c3/37/4252746463bd65c429b695790da739a136b89dfc0d8141e504f0a872dc93/amazon-api-gateway-secure-authorizer-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-22 02:40:00",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "efficient-solutions",
"github_project": "amazon-api-gateway-secure-authorizer",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "amazon-api-gateway-secure-authorizer"
}
JSON
