Feature request: provide Parser models for Lambda Authorizer

[dreamorosi]

Use case

As a customer, when writing Lambda Authorizer functions for API Gateway, I would like to use the Parser utility to parse and validate the payload received by my function.

Solution/User Experience

Based on my tests, there are 3 models that could be added:

• APIGatewayRequestAuthorizerEventSchema
• APIGatewayTokenAuthorizerEventSchema
• APIGatewayRequestAuthorizerEventV2Schema

The first two are used by API Gateway REST API (v1) when configuring a Lambda authorizer. With this version of API Gateway customers can choose whether the authorizer is looking only at the token or at the entire request and based on this the payload that the function receives changes.

For request authorizers the payload looks like this:

{
    "type": "REQUEST",
    "methodArn": "arn:aws:execute-api:eu-west-1:123456789012:puhdx84jy9/prod/POST/lambda-request",
    "resource": "/lambda-request",
    "path": "/lambda-request",
    "httpMethod": "POST",
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate",
        "Authorization": "Bearer foo",
        "CloudFront-Forwarded-Proto": "https",
        "CloudFront-Is-Desktop-Viewer": "true",
        "CloudFront-Is-Mobile-Viewer": "false",
        "CloudFront-Is-SmartTV-Viewer": "false",
        "CloudFront-Is-Tablet-Viewer": "false",
        "CloudFront-Viewer-ASN": "7224",
        "CloudFront-Viewer-Country": "GB",
        "Content-Length": "0",
        "Host": "puhdx84jy9.execute-api.eu-west-1.amazonaws.com",
        "User-Agent": "HTTPie/3.2.2",
        "Via": "1.1 e20527248be1eebaced63108ab7e73d6.cloudfront.net (CloudFront)",
        "X-Amz-Cf-Id": "sIEfafSQxwenKloeWOp-4eyo_-grMyVNzwnkBmx5q7OcvBJV7knerQ==",
        "X-Amzn-Trace-Id": "Root=1-66704feb-118151122b2ad2d3488844e7",
        "X-Forwarded-For": "15.248.3.126, 130.176.209.37",
        "X-Forwarded-Port": "443",
        "X-Forwarded-Proto": "https"
    },
    "multiValueHeaders": {
        "Accept": [
            "*/*"
        ],
        "Accept-Encoding": [
            "gzip, deflate"
        ],
        "Authorization": [
            "Bearer foo"
        ],
        "CloudFront-Forwarded-Proto": [
            "https"
        ],
        "CloudFront-Is-Desktop-Viewer": [
            "true"
        ],
        "CloudFront-Is-Mobile-Viewer": [
            "false"
        ],
        "CloudFront-Is-SmartTV-Viewer": [
            "false"
        ],
        "CloudFront-Is-Tablet-Viewer": [
            "false"
        ],
        "CloudFront-Viewer-ASN": [
            "7224"
        ],
        "CloudFront-Viewer-Country": [
            "GB"
        ],
        "Content-Length": [
            "0"
        ],
        "Host": [
            "puhdx84jy9.execute-api.eu-west-1.amazonaws.com"
        ],
        "User-Agent": [
            "HTTPie/3.2.2"
        ],
        "Via": [
            "1.1 e20527248be1eebaced63108ab7e73d6.cloudfront.net (CloudFront)"
        ],
        "X-Amz-Cf-Id": [
            "sIEfafSQxwenKloeWOp-4eyo_-grMyVNzwnkBmx5q7OcvBJV7knerQ=="
        ],
        "X-Amzn-Trace-Id": [
            "Root=1-66704feb-118151122b2ad2d3488844e7"
        ],
        "X-Forwarded-For": [
            "15.248.3.126, 130.176.209.37"
        ],
        "X-Forwarded-Port": [
            "443"
        ],
        "X-Forwarded-Proto": [
            "https"
        ]
    },
    "queryStringParameters": {},
    "multiValueQueryStringParameters": {},
    "pathParameters": {},
    "stageVariables": {},
    "requestContext": {
        "resourceId": "w567jh",
        "resourcePath": "/lambda-request",
        "httpMethod": "POST",
        "extendedRequestId": "ZhFsxGQDDoEEMig=",
        "requestTime": "17/Jun/2024:15:02:03 +0000",
        "path": "/prod/lambda-request",
        "accountId": "123456789012",
        "protocol": "HTTP/1.1",
        "stage": "prod",
        "domainPrefix": "puhdx84jy9",
        "requestTimeEpoch": 1718636523035,
        "requestId": "141d6671-99b4-40ca-9997-7a22f01eac74",
        "identity": {
            "cognitoIdentityPoolId": null,
            "accountId": null,
            "cognitoIdentityId": null,
            "caller": null,
            "sourceIp": "15.248.3.126",
            "principalOrgId": null,
            "accessKey": null,
            "cognitoAuthenticationType": null,
            "cognitoAuthenticationProvider": null,
            "userArn": null,
            "userAgent": "HTTPie/3.2.2",
            "user": null
        },
        "domainName": "puhdx84jy9.execute-api.eu-west-1.amazonaws.com",
        "deploymentId": "v99qix",
        "apiId": "puhdx84jy9"
    }
}

while for token authorizers it looks like this:

{
    "type": "TOKEN",
    "methodArn": "arn:aws:execute-api:eu-west-1:123456789012:puhdx84jy9/prod/POST/lambda-token",
    "authorizationToken": "Bearer foo"
}

The last one is instead related to API Gateway HTTP API (v2) which as far as I can tell only supports one request type with the following payload:

{
    "version": "2.0",
    "type": "REQUEST",
    "routeArn": "arn:aws:execute-api:eu-west-1:123456789012:lsw1ro4ipb/$default/POST/lambda",
    "identitySource": [
        "Bearer foo"
    ],
    "routeKey": "POST /lambda",
    "rawPath": "/lambda",
    "rawQueryString": "",
    "headers": {
        "accept": "*/*",
        "accept-encoding": "gzip, deflate",
        "authorization": "Bearer foo",
        "content-length": "0",
        "host": "lsw1ro4ipb.execute-api.eu-west-1.amazonaws.com",
        "user-agent": "HTTPie/3.2.2",
        "x-amzn-trace-id": "Root=1-66705bc7-2b4257df30cbee696ef2cf28",
        "x-forwarded-for": "15.248.3.126",
        "x-forwarded-port": "443",
        "x-forwarded-proto": "https"
    },
    "requestContext": {
        "accountId": "123456789012",
        "apiId": "lsw1ro4ipb",
        "domainName": "lsw1ro4ipb.execute-api.eu-west-1.amazonaws.com",
        "domainPrefix": "lsw1ro4ipb",
        "http": {
            "method": "POST",
            "path": "/lambda",
            "protocol": "HTTP/1.1",
            "sourceIp": "15.248.3.126",
            "userAgent": "HTTPie/3.2.2"
        },
        "requestId": "ZhNHJhhLjoEEPiw=",
        "routeKey": "POST /lambda",
        "stage": "$default",
        "time": "17/Jun/2024:15:52:39 +0000",
        "timeEpoch": 1718639559080
    }
}

In terms of DX, the model should work the same as the existing ones:

from aws_lambda_powertools.utilities.parser import event_parser
from aws_lambda_powertools.utilities.parser.models import APIGatewayRequestAuthorizerEventSchema

@event_parser(model=)
def lambda_handler(event, context):
  ...

Note

I have tested all payload types I could think of, including the ones above, with Node.js functions - if you want to double check the payloads you can look at this comment here.

Alternative solutions

No response

Acknowledgment

• This feature request meets Powertools for AWS Lambda (Python) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Java, TypeScript, and .NET

[leandrodamascena]

Thank you so much for opening this issue with so many details @dreamorosi!

I'll work on it until the end of this week.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.