Secure Serverless REST API Using Auth0
A simple REST API that is protected by a custom AWS Lambda Authorizer. The Authorizer uses Auth0 to authorize requests.
This example is similar to Auth0’s tutorial: Secure AWS API Gateway Endpoints Using Custom Authorizers, but uses Pulumi to create the Serverless app and Custom Authorizer.
Set Up Auth0
You can follow the steps below or alternatively you can follow Auth0’s Part 1: Create an Auth0 API.
Sign up for an Auth0 account or login if you already have one.
Click on
APIs
in the left-hand menu.Click
Create API
.- Enter a name and Identifier for you New API.
- Select RS256 as the Signing Algorithm.
- Click
Create
.
Under the
Quick Start
tab, the Node.js example will show you the values forjwksUri
,audience
andissuer
you will need in the next section.
Deploying and Running the Program
Create a new stack:
pulumi stack init auth0-api-testing
Set the AWS region:
pulumi config set aws:region us-east-2
Set up the Auth0 configuration values as secrets in Pulumi:
Run the following commands after replacing
<jwksUri>
,<audience>
and<issuer>
with the appropriate values.pulumi config set --secret jwksUri <jwksUri> pulumi config set --secret audience <audience> pulumi config set --secret issuer <issuer>
Restore NPM modules via
npm install
oryarn install
.Run
pulumi up
to preview and deploy changes:
$ pulumi up
Previewing update (dev):
...
Updating (dev):
Type Name Status Info
+ pulumi:pulumi:Stack lambda-authorizer-dev created 1 message
+ ├─ aws:apigateway:x:API myapi created
+ │ ├─ aws:iam:Role myapi70a45a97 created
+ │ ├─ aws:iam:RolePolicyAttachment myapi70a45a97-32be53a2 created
+ │ ├─ aws:lambda:Function myapi70a45a97 created
+ │ ├─ aws:apigateway:RestApi myapi created
+ │ ├─ aws:apigateway:Deployment myapi created
+ │ ├─ aws:lambda:Permission myapi-31a4e902 created
+ │ └─ aws:apigateway:Stage myapi created
+ ├─ aws:iam:Role jwt-rsa-custom-authorizer created
+ ├─ aws:iam:Role jwt-rsa-custom-authorizer-authorizer-role created
+ ├─ aws:iam:RolePolicyAttachment jwt-rsa-custom-authorizer-32be53a2 created
+ ├─ aws:lambda:Function jwt-rsa-custom-authorizer created
+ └─ aws:iam:RolePolicy jwt-rsa-custom-authorizer-invocation-policy created
Outputs:
url: "https://***.execute-api.us-east-2.amazonaws.com/stage/"
Resources:
+ 14 created
Duration: 18s
Testing Our API
We can now use cURL to test out our new endpoint. If we cURL without a token, we should get a 401 Unauthorized response.
$ curl $(pulumi stack output url)hello
{"message":"Unauthorized"}
We can curl our endpoint with an invalid token and should once again get a 401 Unauthorized response.
$ curl $(pulumi stack output url)hello -H "Authorization: Bearer invalid"
{"message":"Unauthorized"}
Finally, we expect a 200 response when we obtain a token from Auth0 and use it to call our API. We can get a token by visiting the API Details page for our API and clicking the Test tab. Using the provided access token and the API a 200 response: Hello world!
$ curl $(pulumi stack output url)hello -H "Authorization: Bearer <VALID_TOKEN>"
<h1>Hello world!</h1>
Clean up
Run
pulumi destroy
to tear down all resources.To delete the stack itself, run
pulumi stack rm
. Note that this command deletes all deployment history from the Pulumi console.