API Gateway Custom Authorizer - Get Source IP Address

Question

Is it possible to get the source IP address of a request to your API Gateway in a 'Custom Authorizer' lambda function?

This is definitely possible with the actual integration of your API Gateway to a lambda function. Though it does not seem to be possible to get the requester's IP address in a Custom Authorizer function.

My goal is to do rate based blocking directly in APIG. A similar solution is described here. However, as I am only restricting access to one or two APIG endpoints, I'd rather do this in a custom authorizer function which simply adds the source address to the deny policy of the APIG when it reaches a rate limit.

EDIT: To clarify some potential confusion. I understand that I could do this through the regular integration as mentioned above, and in this other post. But I am trying to utilize the custom authorizer functionality, so that I don't have to write the same rate limiting code in all of my lambda functions.

Answer 1

You should look at

event.requestContext.identity.sourceIp

it will contain the original client IP.

When creating the Authorizer on the "Identity Sources" section add

Context: identity.sourceIp

and enable caching (default is 300 sec). That way your authorizer lambda will not be called for each request, because it will cache the returned policy for that IP.

You can experiment yourself if you add logging of passed event parameter (just don't forget about caching, not all calls to API Gateway fire the authorizer lambda).

BTW, don't use "X-Forwarded-For" look at my comment on another @binshi's answer.