github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/r/api_gateway_authorizer.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_api_gateway_authorizer" 4 sidebar_current: "docs-aws-resource-api-gateway-authorizer" 5 description: |- 6 Provides an API Gateway Authorizer. 7 --- 8 9 # aws\_api\_gateway\_authorizer 10 11 Provides an API Gateway Authorizer. 12 13 ## Example Usage 14 15 ```hcl 16 resource "aws_api_gateway_authorizer" "demo" { 17 name = "demo" 18 rest_api_id = "${aws_api_gateway_rest_api.demo.id}" 19 authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations" 20 authorizer_credentials = "${aws_iam_role.invocation_role.arn}" 21 } 22 23 resource "aws_api_gateway_rest_api" "demo" { 24 name = "auth-demo" 25 } 26 27 resource "aws_iam_role" "invocation_role" { 28 name = "api_gateway_auth_invocation" 29 path = "/" 30 31 assume_role_policy = <<EOF 32 { 33 "Version": "2012-10-17", 34 "Statement": [ 35 { 36 "Action": "sts:AssumeRole", 37 "Principal": { 38 "Service": "apigateway.amazonaws.com" 39 }, 40 "Effect": "Allow", 41 "Sid": "" 42 } 43 ] 44 } 45 EOF 46 } 47 48 resource "aws_iam_role_policy" "invocation_policy" { 49 name = "default" 50 role = "${aws_iam_role.invocation_role.id}" 51 52 policy = <<EOF 53 { 54 "Version": "2012-10-17", 55 "Statement": [ 56 { 57 "Action": "lambda:InvokeFunction", 58 "Effect": "Allow", 59 "Resource": "${aws_lambda_function.authorizer.arn}" 60 } 61 ] 62 } 63 EOF 64 } 65 66 resource "aws_iam_role" "lambda" { 67 name = "demo-lambda" 68 69 assume_role_policy = <<EOF 70 { 71 "Version": "2012-10-17", 72 "Statement": [ 73 { 74 "Action": "sts:AssumeRole", 75 "Principal": { 76 "Service": "lambda.amazonaws.com" 77 }, 78 "Effect": "Allow", 79 "Sid": "" 80 } 81 ] 82 } 83 EOF 84 } 85 86 resource "aws_lambda_function" "authorizer" { 87 filename = "lambda-function.zip" 88 source_code_hash = "${base64sha256(file("lambda-function.zip"))}" 89 function_name = "api_gateway_authorizer" 90 role = "${aws_iam_role.lambda.arn}" 91 handler = "exports.example" 92 } 93 ``` 94 95 ## Argument Reference 96 97 The following arguments are supported: 98 99 * `authorizer_uri` - (Required) The authorizer's Uniform Resource Identifier (URI). 100 For `TOKEN` type, this must be a well-formed Lambda function URI in the form of 101 `arn:aws:apigateway:{region}:lambda:path/{service_api}`. e.g. `arn:aws:apigateway:region:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations` 102 * `name` - (Required) The name of the authorizer 103 * `rest_api_id` - (Required) The ID of the associated REST API 104 * `identity_source` - (Optional) The source of the identity in an incoming request. 105 Defaults to `method.request.header.Authorization`. 106 * `type` - (Optional) The type of the authorizer. `TOKEN` is currently the only allowed value. 107 Defaults to `TOKEN`. 108 * `authorizer_credentials` - (Optional) The credentials required for the authorizer. 109 To specify an IAM Role for API Gateway to assume, use the IAM Role ARN. 110 * `authorizer_result_ttl_in_seconds` - (Optional) The TTL of cached authorizer results in seconds. 111 Defaults to `300`. 112 * `identity_validation_expression` - (Optional) A validation expression for the incoming identity. 113 For `TOKEN` type, this value should be a regular expression. The incoming token from the client is matched 114 against this expression, and will proceed if the token matches. If the token doesn't match, 115 the client receives a 401 Unauthorized response.