Creating a custom Lambda authorizer using Open Policy Agent
Organizations have complex infrastructure and need common tooling to make decisions about the system as a whole. In such scenarios, policy-based decision making could be implemented using Open Policy Agent (OPA). OPA is an open source, general-purpose policy engine, which decouples policy decision-making from policy enforcement.
When a web-based application needs to make a policy decision, attributes can be passed to OPA as structured data (for example, JSON). OPA makes policy decisions by evaluating the input against policies and context data. For OPA, policies are written using a high-level declarative language, called Rego. OPA provides several ways to integrate with microservices, Kubernetes, CI/CD pipelines, API gateways, and more. For more information on Open Policy Agent, visit the project website.
Building Custom Lambda authorizer using OPA
An AWS Lambda authorizer is an Amazon API Gateway feature that uses a Lambda function to control access to an API. In this post, we will show how to build a custom OPA Lambda authorizer to control access to your API. We will build a sample request parameter-based OPA Lambda authorizer that receives the caller’s identity in a combination of headers and converts them as structured context data for OPA to make a policy decision and authorize your API call.
- Users will access the API.
- Amazon API Gateway will call the custom OPA Lambda authorizer.
- OPA Lambda authorizer evaluates the policy with the context data and will return an IAM policy object.
- API Gateway will enforce the response.
To build the architecture described in the preceding list, we use the AWS Cloud Development Kit (AWS CDK).
- Create an AWS Cloud9 Amazon Elastic Compute Cloud (EC2) using the documentation instructions.
- Launch the environment using the documentation instructions.
- Set up the AWS Cloud9 instance to run Go code using the documentation instructions.
Project setup and code walkthrough
Creating a CDK project
Run the following commands to initialize an empty AWS CDK project for TypeScript.