ユースケースで学ぶ！API Gateway + Lambda Authorizer 実践入門（CDK）

ϢʔεέʔεͰֶͿʂ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ೖ໳ʢ$%,ʣ "84ࣄۀຊ෦ίϯαϧςΟϯά෦നੴ੒Ұ

ࣗݾ঺հ w"84ࣄۀຊ෦ίϯαϧς Οϯά෦ w"84ΤϯδχΞ ϑϩϯτ ΤϯυΤϯδχΞ w8FCडୗ4&4$. w"84 )5.-
$44 +BWB4DSJQU 5ZQF4DSJQU 1)1 1FSM $ 1ZUIPO നੴ੒ҰʢShiraishi Seiichiʣ

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

ຊηογϣϯʹ͍ͭͯ ର৅ࢹௌऀ w"1*։ൃॳֶऀ w"1*(BUFXBZ -BNCEB"VUIPSJ[FSॳֶऀ ΰʔϧ w8FCIPPLΛड͚෇͚ΔͨΊͷ"1*(BUFXBZΛ࣮૷͠·͢ɻ"1* (BUFXBZʹ͸#BTJDೝূΛ࣮૷͠·͢ɻ w͜ͷྫΛ௨ͯ͠ɺԿ͔ಘΔ΋ͷ͕͋Γ·͢ͱ޾͍Ͱ͢ɻ

ຊηογϣϯʹೖΔલʹ લఏ৚݅ wຊηογϣϯͰ͸ɺ;FOEFTLʹͯ8FCIPPLͷઃఆΛߦ͍ɺ 8FCIPPLΛड͚෇͚Δ"1*Λ࡞੒͢Δํ๏Λ͝঺հ͠·͢ɻ w;FOEFTLଆͷઃఆ͸औΓѻΘͣɺࢀߟϒϩάͷ͝঺հͷΈͱͤͯ͞ ͍͖ͨͩ·͢ɻ ࢖༻͢Δٕज़ w"1*(BUFXBZ -BNCEB"VUIPSJ[FS
w"84$%,W

࣮૷֓ཁ w;FOEFTLͷ8FCIPPLઃఆ w;FOEFTLͷ#BTJDೝূઃఆ w8FCIPPLΛड͚෇͚Δ"1*ͷ࡞੒ w"1*(BUFXBZͷ࡞੒ w-BNCEB"VUIPSJ[FSͷ࡞੒

࣮૷֓ཁ w;FOEFTLͱ͸ w;FOEFTL͸ɺʮ͓٬༷͕৺஍Α͍ͱײ͡ΔΤΫεϖϦΤϯεʯΛ࣮ ݱ͢ΔΧελϚʔαʔϏεϓϥοτϑΥʔϜΛఏڙ͍ͯ͠·͢ɻ   ϝʔϧ͔Βͷ͓໰͍߹Θͤ΋ɺνϟοτ͔Βͷ͓໰͍߹Θͤ΋Ұݩ ؅ཧͰ͖ΔͨΊɺΧελϚʔαʔϏεۀ຿͕ܶతʹεϜʔζʹͳΔ ͱͱ΋ʹɺސ٬ͱͷΑΓྑ͍ؔ܎Λங͘͜ͱ͕ՄೳʹͳΓ·͢ɻ wҾ༻ɿIUUQTXXX[FOEFTLDPKQBCPVU

࣮૷֓ཁ w"1*(BUFXBZͱ͸ w"NB[PO"1*(BUFXBZ͸ɺ͋ΒΏΔن໛ͷ3&45ɺ)551ɺ͓Α ͼ8FC4PDLFU"1*Λ࡞੒ɺެ։ɺҡ࣋ɺϞχλϦϯάɺ͓Αͼη ΩϡΞԽ͢ΔͨΊͷ"84ͷαʔϏεͰ͢ɻ wҾ༻ɿIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZ MBUFTUEFWFMPQFSHVJEFXFMDPNFIUNM

࣮૷֓ཁ w-BNCEB"VUIPSJ[FSͱ͸ w-BNCEBؔ਺Λ࢖༻ͯ͠)551"1*΁ͷΞΫηεΛ੍ޚ͢Δ࢓૊ ΈͰ͢ɻ wҾ༻ɿIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZ MBUFTUEFWFMPQFSHVJEFIUUQBQJMBNCEBBVUIPSJ[FSIUNM

ΞʔΩςΫνϟ

;FOEFTLଆઃఆ https://dev.classmethod.jp/ articles/zendesk-attachments- to-s3/ wʮ;FOEFTLͷ8FCIPPLͱ τϦΨʔͷઃఆʯͷষΛࢀߟ

"1*(BUFXBZ࣮૷ import { IdentitySource, LambdaIntegration, RequestAuthorizer, RestApi } from
‘aws-cdk-lib/aws-apigateway'; const api = new RestApi(this, 'zendesk-webhook-api', { deployOptions: { stageName: ‘v1’ // default Ͱ͸ prod ͕ੜ੒͞ΕΔ } }) const auth = new RequestAuthorizer(this, 'zendeskWebhookAuthorizer', { handler: authorizerFunction, // LambdaAuthorizer ࣮૷ identitySources: [ IdentitySource.header(‘Authorization'), IdentitySource.header(‘X-Request-Id’) ] })

"1*(BUFXBZ࣮૷ const webhookApi = api.root.addResource('resource'); webhookApi.addMethod( 'POST', new LambdaIntegration(postResourceFunction),
{ authorizer: auth } ) webhookApi.addCorsPreflight({ statusCode: 200, allowOrigins: Cors.ALL_ORIGINS, allowMethods: Cors.ALL_METHODS, allowHeaders: Cors.DEFAULT_HEADERS, })

-BNCEB"VUIPSJ[FS࣮૷ import { ManagedPolicy, Effect, PolicyStatement, Role, ServicePrincipal }
from ‘aws-cdk-lib/aws-iam'; // policy ͷ࣮૷ const authorizerFunctionPolicy = new ManagedPolicy(this, "authorizer-function-policy", { managedPolicyName: "authorizer-function-policy", statements: [ new PolicyStatement({ effect: Effect.ALLOW, actions: [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], resources: ["arn:aws:logs:*:*:*"], }), ] }); const authorizerFunctionRole = new Role(this, "authorizer-function-role", { roleName: "authorizer-function-role", assumedBy: new ServicePrincipal("lambda.amazonaws.com"), managedPolicies: [authorizerFunctionPolicy] });

-BNCEB"VUIPSJ[FS࣮૷ // policy ͷ࣮૷ const authorizerInvokePolicy = new ManagedPolicy(this,
"authorizer-invoke-policy", { managedPolicyName: "authorizer-invoke-policy", statements: [ new PolicyStatement({ effect: Effect.ALLOW, actions: [ "sts:AssumeRole", ], resources: ['*'], }) ] }) const authorizerInvokeRole = new Role(this, 'authorizer-invoke-role', { roleName: "authorizer-invoke-role", assumedBy: new ServicePrincipal('apigateway.amazonaws.com'), managedPolicies: [authorizerInvokePolicy] });

-BNCEB"VUIPSJ[FS࣮૷ const authorizerFunction = new Function(this, ‘authorizer-function', { functionName:
'authorizer-function', description: ‘Zendesk WebhookͷBasicೝূΛݕূ͢Δ', code: new AssetCode(“resources"), // ೚ҙͷύεΛઃఆ handler: “auth/authorizer.handler", // ೚ҙͷύεΛઃఆ runtime: Runtime.PYTHON_3_9, role: authorizerFunctionRole, environment: { // parameter store Λར༻ SSM_ZENDESK_USERNAME: "/zendesk/username", SSM_ZENDESK_PASSWORD: "/zendesk/password", } }); // API Gateway ͕ Lambda Λ࣮ߦ͢ΔͨΊͷݖݶ authorizerFunction.grantInvoke(authorizerInvokeRole);

-BNCEB"VUIPSJ[FS࣮૷ import base64 import json import logging import os
from hooks.utils import common TOKYO = "ap-northeast-1" logger = logging.getLogger() logger.setLevel(logging.INFO) zendesk_username = os.environ['SSM_ZENDESK_USERNAME'] zendesk_password = os.environ['SSM_ZENDESK_PASSWORD'] def handler(event, context): try: basic_header = event[“headers"]["Authorization"] req_id = event["headers"]["X-Request-Id"] result = is_valid(basic_header, common.get_parameter_value(zendesk_username), common.get_parameter_value(zendesk_password)) if result is True: return gen_policy(req_id, "Allow") return gen_policy(req_id, "Deny") except Exception as e: logger.error(e) raise Exception("Unauthorized") authorizer.py

-BNCEB"VUIPSJ[FS࣮૷ def is_valid(basic_header, username, password): basic_username_and_pasword = base64.b64encode( f"{username}:{password}".encode("utf-8")
) sig = f"Basic {basic_username_and_pasword.decode('utf-8')}" if basic_header == sig: return True return False def gen_policy(principal_id, effect: str): return { "principalId": principal_id, "policyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": effect, "Resource": '*', } ], }, } authorizer.py

-BNCEB"VUIPSJ[FS࣮૷ import boto3 def get_parameter_value(param_key): ssm = boto3.client('ssm') return
ssm.get_parameter(Name=param_key, WithDecryption=True)['Parameter']['Value'] common.py

ʢ͓·͚ʣ8FCIPPLॺ໊ݕূ common.py https://dev.classmethod.jp/ articles/zendesk-webhook- signature-veri fi cation-in-python/ wηΩϡϦςΟରࡦͱͯ͠ 8FCIPPL͕ຊ౰ʹ;FOEFTL
͔Βͷ΋ͷͰ͋Δ͔Ͳ͏͔Λ֬ ೝɾݕূ͢Δ

·ͱΊ w$%, -BNCEB"VUIPSJ[FS͸ϦϑΝϨϯεΛಡΈ࣮૷͠·͠ΐ͏ wIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZMBUFTU EFWFMPQFSHVJEFBQJHBUFXBZVTFMBNCEBBVUIPSJ[FSIUNM w8FCIPPLΛར༻࣮ͨ͠૷͸ɺ;FOEFTLʹݶΒͣଞͷαʔϏεͰ΋Α ͋͘ΔͨΊྲྀ༻Ͱ͖Δʢ4MBDL %JTDPSE -*/&FUDʣ
wૉৼΓͱͯ͠ɺ͓खܰͳϢʔεέʔε

͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

ユースケースで学ぶ！API Gateway + Lambda Authorizer 実践入門（...

ユースケースで学ぶ！API Gateway + Lambda Authorizer 実践入門（CDK）

Shiraishi

Other Decks in Technology

Featured

Transcript

ϢʔεέʔεͰֶͿʂ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ೖ໳ʢ$%,ʣ "84ࣄۀຊ෦ίϯαϧςΟϯά෦നੴ੒Ұ

ࣗݾ঺հ w"84ࣄۀຊ෦ίϯαϧς Οϯά෦ w"84ΤϯδχΞ ϑϩϯτ ΤϯυΤϯδχΞ w8FCडୗ4&4$. w"84 )5.-

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

ຊηογϣϯʹ͍ͭͯ ର৅ࢹௌऀ w"1։ൃॳֶऀ w"1(BUFXBZ -BNCEB"VUIPSJ[FSॳֶऀ ΰʔϧ w8FCIPPLΛड͚෇͚ΔͨΊͷ"1(BUFXBZΛ࣮૷͠·͢ɻ"1 (BUFXBZʹ͸#BTJDೝূΛ࣮૷͠·͢ɻ w͜ͷྫΛ௨ͯ͠ɺԿ͔ಘΔ΋ͷ͕͋Γ·͢ͱ޾͍Ͱ͢ɻ

ຊηογϣϯʹೖΔલʹ લఏ৚݅ wຊηογϣϯͰ͸ɺ;FOEFTLʹͯ8FCIPPLͷઃఆΛߦ͍ɺ 8FCIPPLΛड͚෇͚Δ"1Λ࡞੒͢Δํ๏Λ͝঺հ͠·͢ɻ w;FOEFTLଆͷઃఆ͸औΓѻΘͣɺࢀߟϒϩάͷ͝঺հͷΈͱͤͯ͞ ͍͖ͨͩ·͢ɻ ࢖༻͢Δٕज़ w"1(BUFXBZ -BNCEB"VUIPSJ[FS

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

࣮૷֓ཁ w;FOEFTLͷ8FCIPPLઃఆ w;FOEFTLͷ#BTJDೝূઃఆ w8FCIPPLΛड͚෇͚Δ"1ͷ࡞੒ w"1(BUFXBZͷ࡞੒ w-BNCEB"VUIPSJ[FSͷ࡞੒

࣮૷֓ཁ w"1(BUFXBZͱ͸ w"NB[PO"1(BUFXBZ͸ɺ͋ΒΏΔن໛ͷ3&45ɺ)551ɺ͓Α ͼ8FC4PDLFU"1*Λ࡞੒ɺެ։ɺҡ࣋ɺϞχλϦϯάɺ͓Αͼη ΩϡΞԽ͢ΔͨΊͷ"84ͷαʔϏεͰ͢ɻ wҾ༻ɿIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZ MBUFTUEFWFMPQFSHVJEFXFMDPNFIUNM

࣮૷֓ཁ w-BNCEB"VUIPSJ[FSͱ͸ w-BNCEBؔ਺Λ࢖༻ͯ͠)551"1*΁ͷΞΫηεΛ੍ޚ͢Δ࢓૊ ΈͰ͢ɻ wҾ༻ɿIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZ MBUFTUEFWFMPQFSHVJEFIUUQBQJMBNCEBBVUIPSJ[FSIUNM

ΞʔΩςΫνϟ

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

;FOEFTLଆઃఆ https://dev.classmethod.jp/ articles/zendesk-attachments- to-s3/ wʮ;FOEFTLͷ8FCIPPLͱ τϦΨʔͷઃఆʯͷষΛࢀߟ

"1*(BUFXBZ࣮૷ import { IdentitySource, LambdaIntegration, RequestAuthorizer, RestApi } from

"1*(BUFXBZ࣮૷ const webhookApi = api.root.addResource('resource'); webhookApi.addMethod( 'POST', new LambdaIntegration(postResourceFunction),

-BNCEB"VUIPSJ[FS࣮૷ import { ManagedPolicy, Effect, PolicyStatement, Role, ServicePrincipal }

-BNCEB"VUIPSJ[FS࣮૷ // policy ͷ࣮૷ const authorizerInvokePolicy = new ManagedPolicy(this,

-BNCEB"VUIPSJ[FS࣮૷ const authorizerFunction = new Function(this, ‘authorizer-function', { functionName:

-BNCEB"VUIPSJ[FS࣮૷ import base64 import json import logging import os

-BNCEB"VUIPSJ[FS࣮૷ def is_valid(basic_header, username, password): basic_username_and_pasword = base64.b64encode( f"{username}:{password}".encode("utf-8")

-BNCEB"VUIPSJ[FS࣮૷ import boto3 def get_parameter_value(param_key): ssm = boto3.client('ssm') return

ʢ͓·͚ʣ8FCIPPLॺ໊ݕূ common.py https://dev.classmethod.jp/ articles/zendesk-webhook- signature-veri fi cation-in-python/ wηΩϡϦςΟରࡦͱͯ͠ 8FCIPPL͕ຊ౰ʹ;FOEFTL

ΞδΣϯμ ຊηογϣϯʹ͍ͭͯ ࣮૷֓ཁʢ8FCIPPL #BTJDೝূར༻ʣ "1*(BUFXBZ -BNCEB"VUIPSJ[FS࣮૷ ·ͱΊ

·ͱΊ w$%, -BNCEB"VUIPSJ[FS͸ϦϑΝϨϯεΛಡΈ࣮૷͠·͠ΐ͏ wIUUQTEPDTBXTBNB[PODPNKB@KQBQJHBUFXBZMBUFTU EFWFMPQFSHVJEFBQJHBUFXBZVTFMBNCEBBVUIPSJ[FSIUNM w8FCIPPLΛར༻࣮ͨ͠૷͸ɺ;FOEFTLʹݶΒͣଞͷαʔϏεͰ΋Α ͋͘ΔͨΊྲྀ༻Ͱ͖Δʢ4MBDL %JTDPSE -*/&FUDʣ

͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠