Creating and managing custom authorizers (CLI) (original) (raw)

AWS IoT Core implements custom authentication and authorization schemes by using custom authorizers. A custom authorizer is an AWS IoT Core resource that gives you the flexibility to define and implement the rules and policies based on your specific requirements. To create a custom authorizer with step-by-step instructions, seeTutorial: Creating a custom authorizer for AWS IoT Core.

Each authorizer consists of the following components:

• Name: A unique user-defined string that identifies the authorizer.
• Lambda function ARN: The Amazon Resource Name (ARN) of the Lambda function that implements the authorization and authentication logic.
• Token key name: The key name used to extract the token from the HTTP headers, query parameters, or MQTT CONNECT user name in order to perform signature validation. This value is required if signing is enabled in your authorizer.
• Signing disabled flag (optional): A Boolean value that specifies whether to disable the signing requirement on credentials. This is useful for scenarios where signing the credentials doesn't make sense, such as authentication schemes that use MQTT user name and password. The default value is false, so signing is enabled by default.
• Token signing public key: The public key that AWS IoT Core uses to validate the token signature. Its minimum length is 2,048 bits. This value is required if signing is enabled in your authorizer.

Lambda charges you for the number of times your Lambda function runs and for the amount of time it takes for the code in your function to execute. For more information about Lambda pricing, see Lambda Pricing. For more information about creating Lambda functions, see the Lambda Developer Guide.

Note

If you leave signing enabled, you can prevent excessive triggering of your Lambda by unrecognized clients. Consider this before you disable signing in your authorizer.

Note

The Lambda function timeout limit for custom authorizer is 5 seconds.

In this chapter:

• Defining your Lambda function
• Creating an authorizer
• Authorizing AWS IoT to invoke your Lambda function
• Testing your authorizers
• Managing custom authorizers

Understanding the custom authentication workflow

Defining your Lambda function

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.