This package implements a basic auth for Lambda functions along with a simple API key model. It also implements IP whitelisting. This is a very simple authenticator, taking all configuration from a JSON config file.
Configuration is done via a JSON document stored in an AWS secret. The lambda handler in main.go finds this by looking up the name of the secret in an environment variable: LAMBDA_AUTH_CONFIG
### Basic auth
If basic auth is enabled then the configuration file contains the following keys
whitelist
: an array of CIDR networks and/or IP addresses that should be allowed access to the resources. If empty or omitted, all addresses are allowedpaths
: an array of paths (with optional wildcards). Each path consists of HTTP verb followed by a resource path (see AWS docs). The resources authenticated by this function are defined by these. For each path an ARN is gnerated using the RouteArn for the lambda call, replacing the resource portion of the ARN with the invidual path values. If ommitted a single path "*" will be used.basicAuth
: true when using basic authenticationusers
: an array of objects, each withuserid
andkey
keys. Logins are validated against this set of users
{
whitelist: ["10.11.12.0/24", "192.168.1.3"]
paths: [
"/GET/api/acount/*",
"*/api/user/*"
],
basicAuth: true,
users: [
{
"userid": "user1",
"key": "password1"
},
{
"userid": "user2",
"key": "password2"
}
]
}
If basic auth is not in use then the configuration file contains the following keys:
whitelist
: as abovepaths
: as abovebasicAuth
: false or omitteduserHeader
: the name of the HTTP header from where a user id is taken. If omitted, user ids are not checked and only thekey
field below is checked (by iterating the array)keyHeader
: the name of the HTTP header from where an API key is taken. This is mandatory.users
: an array of objects, each withuserid
andkey
keys. Logins are validated against this set of users
{
whitelist: ["10.11.12.0/24", "192.168.1.3"]
paths: [
"/GET/api/acount/*",
"*/api/user/*"
],
basicAuth: false,
userHeader: "x-api-user",
keyHeader: "x-api-key",
users: [
{
"userid": "user1",
"key": "key1"
},
{
"userid": "user2",
"key": "key2"
}
]
}
The only difference between the two approaches is where the userid and key are fetched from.
Setting the environment variable LAMBDA_AUTH_LOGGING
will enable some additional testing output.
The lambda function finds the configuration file using an environment variable. The name of a AWS Secret must be stored in the environment variable LAMBDA_AUTH_CONFIG
. That secret must contain the config file. The config file is read when main()
is called and cached for the duration of the lambda