I've successfully configured IAM-authenticated access to my Lambda function with AWS API Gateway front-end, but unable to find how to pass IAM user identity to my Lambda function.
I need exactly IAM user identity and can not run Lambda function under calling IAM-user credentials. All I need - is to get calling IAM-user identity in my Lambda function.
Is there option for that?
Attach the IAM policy to an IAM roleNavigate to the IAM console and choose Roles in the navigation pane. Choose Create role. Choose AWS service and then choose Lambda. Choose Next: Permissions.
Configure your Lambda function's execution role to allow the function to assume an IAM role in another AWS account. Modify your cross-account IAM role's trust policy to allow your Lambda function to assume the role. Add the AWS Security Token Service (AWS STS) AssumeRole API call to your Lambda function's code.
To pass custom headers from an API Gateway API to a Lambda function, use a body mapping template. The API sends the updated API request to a Lambda function to process the headers. Then, the Lambda function returns one or more header values from the original API request.
Support for accessing identity and other information from the Amazon API Gateway request context hadn't been available when you posted the question, but recently been added, see Announcement: Context Variables:
You can now access context variables from within mapping templates to retrieve contextual information about the API call. You can access data such as stage, resource path, and HTTP method, as well as information about the identity of the caller. This information can then be passed along to your backend integration using the $context variable. [emphasis mine]
The referenced documentation on Accessing the $context Variable features a $context Variable Reference
and there are various $context.identity.*
parameters that should address your use case.
As outlined in Soenke's answer to the OPs similar question in the Amazon API Gateway forum, there is an as of yet undocumented integration parameter that results in the Cognito identifier being included in this $context.identity.*
context variables:
in order to have the Cognito (not IAM!) IdentityId and IdentityPoolId available in Lambda, you have to enable "Invoke with caller credentials" on the API Gateway "Integration Request" page of the API GW Resource. This results in a new context struct "identity" (containing "cognitoIdentityId" and "cognitoIdentityPoolId" being passed to the Lambda function).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With