Amazon API Gateway

2016/07/28 - Amazon API Gateway - 5 updated api methods

Changes  Adds support for authentication through Cognito User Pools.

CreateAuthorizer (updated) Link ¶
Changes (both) 
{'providerARNs': ['string'], 'type': {'COGNITO_USER_POOLS'}}

Adds a new Authorizer resource to an existing RestApi resource.

Request Syntax

client.create_authorizer(
    restApiId='string',
    name='string',
    type='TOKEN'|'COGNITO_USER_POOLS',
    providerARNs=[
        'string',
    ],
    authType='string',
    authorizerUri='string',
    authorizerCredentials='string',
    identitySource='string',
    identityValidationExpression='string',
    authorizerResultTtlInSeconds=123
)
type restApiId

string

param restApiId

[REQUIRED]

The RestApi identifier under which the Authorizer will be created.

type name

string

param name

[REQUIRED]

[Required] The name of the authorizer.

type type

string

param type

[REQUIRED]

[Required] The type of the authorizer.

type providerARNs

list

param providerARNs

  • (string) --

type authType

string

param authType

Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

type authorizerUri

string

param authorizerUri

[Required] Specifies the authorizer's Uniform Resource Identifier (URI).

type authorizerCredentials

string

param authorizerCredentials

Specifies the credentials required for the authorizer, if any.

type identitySource

string

param identitySource

[REQUIRED]

[Required] The source of the identity in an incoming request.

type identityValidationExpression

string

param identityValidationExpression

A validation expression for the incoming identity.

type authorizerResultTtlInSeconds

integer

param authorizerResultTtlInSeconds

The TTL of cached authorizer results.

rtype

dict

returns

Response Syntax

{
    'id': 'string',
    'name': 'string',
    'type': 'TOKEN'|'COGNITO_USER_POOLS',
    'providerARNs': [
        'string',
    ],
    'authType': 'string',
    'authorizerUri': 'string',
    'authorizerCredentials': 'string',
    'identitySource': 'string',
    'identityValidationExpression': 'string',
    'authorizerResultTtlInSeconds': 123
}

Response Structure

  • (dict) --

    Represents an authorization layer for methods. If enabled on a method, API Gateway will activate the authorizer when a client calls the method.

    • id (string) --

      The identifier for the authorizer resource.

    • name (string) --

      [Required] The name of the authorizer.

    • type (string) --

      [Required] The type of the authorizer. Currently, the only valid type is TOKEN.

    • providerARNs (list) --

      • (string) --

    • authType (string) --

      Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

    • authorizerUri (string) --

      [Required] Specifies the authorizer's Uniform Resource Identifier (URI). For TOKEN authorizers, this must be a well-formed Lambda function URI. The URI should be of the form arn:aws:apigateway:{region}:lambda:path/{service_api} . Region is used to determine the right endpoint. In this case, path is used to indicate that the remaining substring in the URI should be treated as the path to the resource, including the initial / . For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations

    • authorizerCredentials (string) --

      Specifies the credentials required for the authorizer, if any. Two options are available. To specify an IAM Role for Amazon API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.

    • identitySource (string) --

      [Required] The source of the identity in an incoming request. For TOKEN authorizers, this value is a mapping expression with the same syntax as integration parameter mappings. The only valid source for tokens is 'header', so the expression should match 'method.request.header.[headerName]'. The value of the header '[headerName]' will be interpreted as the incoming token.

    • identityValidationExpression (string) --

      A validation expression for the incoming identity. For TOKEN authorizers, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.

    • authorizerResultTtlInSeconds (integer) --

      The TTL in seconds of cached authorizer results. If greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.

GetAuthorizer (updated) Link ¶
Changes (response) 
{'providerARNs': ['string'], 'type': {'COGNITO_USER_POOLS'}}

Describe an existing Authorizer resource.

Request Syntax

client.get_authorizer(
    restApiId='string',
    authorizerId='string'
)
type restApiId

string

param restApiId

[REQUIRED]

The RestApi identifier for the Authorizer resource.

type authorizerId

string

param authorizerId

[REQUIRED]

The identifier of the Authorizer resource.

rtype

dict

returns

Response Syntax

{
    'id': 'string',
    'name': 'string',
    'type': 'TOKEN'|'COGNITO_USER_POOLS',
    'providerARNs': [
        'string',
    ],
    'authType': 'string',
    'authorizerUri': 'string',
    'authorizerCredentials': 'string',
    'identitySource': 'string',
    'identityValidationExpression': 'string',
    'authorizerResultTtlInSeconds': 123
}

Response Structure

  • (dict) --

    Represents an authorization layer for methods. If enabled on a method, API Gateway will activate the authorizer when a client calls the method.

    • id (string) --

      The identifier for the authorizer resource.

    • name (string) --

      [Required] The name of the authorizer.

    • type (string) --

      [Required] The type of the authorizer. Currently, the only valid type is TOKEN.

    • providerARNs (list) --

      • (string) --

    • authType (string) --

      Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

    • authorizerUri (string) --

      [Required] Specifies the authorizer's Uniform Resource Identifier (URI). For TOKEN authorizers, this must be a well-formed Lambda function URI. The URI should be of the form arn:aws:apigateway:{region}:lambda:path/{service_api} . Region is used to determine the right endpoint. In this case, path is used to indicate that the remaining substring in the URI should be treated as the path to the resource, including the initial / . For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations

    • authorizerCredentials (string) --

      Specifies the credentials required for the authorizer, if any. Two options are available. To specify an IAM Role for Amazon API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.

    • identitySource (string) --

      [Required] The source of the identity in an incoming request. For TOKEN authorizers, this value is a mapping expression with the same syntax as integration parameter mappings. The only valid source for tokens is 'header', so the expression should match 'method.request.header.[headerName]'. The value of the header '[headerName]' will be interpreted as the incoming token.

    • identityValidationExpression (string) --

      A validation expression for the incoming identity. For TOKEN authorizers, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.

    • authorizerResultTtlInSeconds (integer) --

      The TTL in seconds of cached authorizer results. If greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.

GetAuthorizers (updated) Link ¶
Changes (response) 
{'items': {'providerARNs': ['string'], 'type': {'COGNITO_USER_POOLS'}}}

Describe an existing Authorizers resource.

Request Syntax

client.get_authorizers(
    restApiId='string',
    position='string',
    limit=123
)
type restApiId

string

param restApiId

[REQUIRED]

The RestApi identifier for the Authorizers resource.

type position

string

param position

If not all Authorizer resources in the response were present, the position will specificy where to start the next page of results.

type limit

integer

param limit

Limit the number of Authorizer resources in the response.

rtype

dict

returns

Response Syntax

{
    'position': 'string',
    'items': [
        {
            'id': 'string',
            'name': 'string',
            'type': 'TOKEN'|'COGNITO_USER_POOLS',
            'providerARNs': [
                'string',
            ],
            'authType': 'string',
            'authorizerUri': 'string',
            'authorizerCredentials': 'string',
            'identitySource': 'string',
            'identityValidationExpression': 'string',
            'authorizerResultTtlInSeconds': 123
        },
    ]
}

Response Structure

  • (dict) --

    Represents a collection of Authorizer resources.

    • position (string) --

    • items (list) --

      Gets the current list of Authorizer resources in the collection.

      • (dict) --

        Represents an authorization layer for methods. If enabled on a method, API Gateway will activate the authorizer when a client calls the method.

        • id (string) --

          The identifier for the authorizer resource.

        • name (string) --

          [Required] The name of the authorizer.

        • type (string) --

          [Required] The type of the authorizer. Currently, the only valid type is TOKEN.

        • providerARNs (list) --

          • (string) --

        • authType (string) --

          Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

        • authorizerUri (string) --

          [Required] Specifies the authorizer's Uniform Resource Identifier (URI). For TOKEN authorizers, this must be a well-formed Lambda function URI. The URI should be of the form arn:aws:apigateway:{region}:lambda:path/{service_api} . Region is used to determine the right endpoint. In this case, path is used to indicate that the remaining substring in the URI should be treated as the path to the resource, including the initial / . For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations

        • authorizerCredentials (string) --

          Specifies the credentials required for the authorizer, if any. Two options are available. To specify an IAM Role for Amazon API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.

        • identitySource (string) --

          [Required] The source of the identity in an incoming request. For TOKEN authorizers, this value is a mapping expression with the same syntax as integration parameter mappings. The only valid source for tokens is 'header', so the expression should match 'method.request.header.[headerName]'. The value of the header '[headerName]' will be interpreted as the incoming token.

        • identityValidationExpression (string) --

          A validation expression for the incoming identity. For TOKEN authorizers, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.

        • authorizerResultTtlInSeconds (integer) --

          The TTL in seconds of cached authorizer results. If greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.

TestInvokeAuthorizer (updated) Link ¶
Changes (response) 
{'claims': {'string': 'string'}}

Simulate the execution of an Authorizer in your RestApi with headers, parameters, and an incoming request body.

Request Syntax

client.test_invoke_authorizer(
    restApiId='string',
    authorizerId='string',
    headers={
        'string': 'string'
    },
    pathWithQueryString='string',
    body='string',
    stageVariables={
        'string': 'string'
    },
    additionalContext={
        'string': 'string'
    }
)
type restApiId

string

param restApiId

[REQUIRED]

Specifies a test invoke authorizer request's RestApi identifier.

type authorizerId

string

param authorizerId

[REQUIRED]

Specifies a test invoke authorizer request's Authorizer ID.

type headers

dict

param headers

[Required] A key-value map of headers to simulate an incoming invocation request. This is where the incoming authorization token, or identity source, should be specified.

  • (string) --

    • (string) --

type pathWithQueryString

string

param pathWithQueryString

[Optional] The URI path, including query string, of the simulated invocation request. Use this to specify path parameters and query string parameters.

type body

string

param body

[Optional] The simulated request body of an incoming invocation request.

type stageVariables

dict

param stageVariables

A key-value map of stage variables to simulate an invocation on a deployed Stage.

  • (string) --

    • (string) --

type additionalContext

dict

param additionalContext

[Optional] A key-value map of additional context variables.

  • (string) --

    • (string) --

rtype

dict

returns

Response Syntax

{
    'clientStatus': 123,
    'log': 'string',
    'latency': 123,
    'principalId': 'string',
    'policy': 'string',
    'authorization': {
        'string': [
            'string',
        ]
    },
    'claims': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    Represents the response of the test invoke request in for a custom Authorizer

    • clientStatus (integer) --

      The HTTP status code that the client would have received. Value is 0 if the authorizer succeeded.

    • log (string) --

      The Amazon API Gateway execution log for the test authorizer request.

    • latency (integer) --

      The execution latency of the test authorizer request

    • principalId (string) --

      The principal identity returned by the Authorizer

    • policy (string) --

      The policy JSON document returned by the Authorizer

    • authorization (dict) --

      • (string) --

        • (list) --

          • (string) --

    • claims (dict) --

      • (string) --

        • (string) --

UpdateAuthorizer (updated) Link ¶
Changes (response) 
{'providerARNs': ['string'], 'type': {'COGNITO_USER_POOLS'}}

Updates an existing Authorizer resource.

Request Syntax

client.update_authorizer(
    restApiId='string',
    authorizerId='string',
    patchOperations=[
        {
            'op': 'add'|'remove'|'replace'|'move'|'copy'|'test',
            'path': 'string',
            'value': 'string',
            'from': 'string'
        },
    ]
)
type restApiId

string

param restApiId

[REQUIRED]

The RestApi identifier for the Authorizer resource.

type authorizerId

string

param authorizerId

[REQUIRED]

The identifier of the Authorizer resource.

type patchOperations

list

param patchOperations

A list of operations describing the updates to apply to the specified resource. The patches are applied in the order specified in the list.

  • (dict) -- A single patch operation to apply to the specified resource. Please refer to http://tools.ietf.org/html/rfc6902#section-4 for an explanation of how each operation is used.

    • op (string) --

      A patch operation whose value indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or "test"; other values are errors.

    • path (string) --

      Operation objects MUST have exactly one "path" member. That member's value is a string containing a JSON-Pointer value that references a location within the target document (the "target location") where the operation is performed.

    • value (string) --

      The actual value content.

    • from (string) --

      The "move" and "copy" operation object MUST contain a "from" member, which is a string containing a JSON Pointer value that references the location in the target document to move the value from.

rtype

dict

returns

Response Syntax

{
    'id': 'string',
    'name': 'string',
    'type': 'TOKEN'|'COGNITO_USER_POOLS',
    'providerARNs': [
        'string',
    ],
    'authType': 'string',
    'authorizerUri': 'string',
    'authorizerCredentials': 'string',
    'identitySource': 'string',
    'identityValidationExpression': 'string',
    'authorizerResultTtlInSeconds': 123
}

Response Structure

  • (dict) --

    Represents an authorization layer for methods. If enabled on a method, API Gateway will activate the authorizer when a client calls the method.

    • id (string) --

      The identifier for the authorizer resource.

    • name (string) --

      [Required] The name of the authorizer.

    • type (string) --

      [Required] The type of the authorizer. Currently, the only valid type is TOKEN.

    • providerARNs (list) --

      • (string) --

    • authType (string) --

      Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

    • authorizerUri (string) --

      [Required] Specifies the authorizer's Uniform Resource Identifier (URI). For TOKEN authorizers, this must be a well-formed Lambda function URI. The URI should be of the form arn:aws:apigateway:{region}:lambda:path/{service_api} . Region is used to determine the right endpoint. In this case, path is used to indicate that the remaining substring in the URI should be treated as the path to the resource, including the initial / . For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations

    • authorizerCredentials (string) --

      Specifies the credentials required for the authorizer, if any. Two options are available. To specify an IAM Role for Amazon API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.

    • identitySource (string) --

      [Required] The source of the identity in an incoming request. For TOKEN authorizers, this value is a mapping expression with the same syntax as integration parameter mappings. The only valid source for tokens is 'header', so the expression should match 'method.request.header.[headerName]'. The value of the header '[headerName]' will be interpreted as the incoming token.

    • identityValidationExpression (string) --

      A validation expression for the incoming identity. For TOKEN authorizers, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.

    • authorizerResultTtlInSeconds (integer) --

      The TTL in seconds of cached authorizer results. If greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.