PATTERN Cited by 1 source
Lambda authorizer¶
Shape¶
A Lambda authorizer is a Lambda function that API Gateway invokes before dispatching a request to the backend. The authorizer:
- Extracts and validates the identity token (typically a Cognito JWT).
- Extracts authorization-relevant claims (roles, group memberships, tenant_id, custom attributes injected by a pre-token hook).
- Calls a policy engine (e.g.
AVP
IsAuthorized) with(principal, action, resource, context). - Returns an IAM policy document with Allow / Deny.
- API Gateway enforces (forwards on Allow, 403s on Deny) and caches the decision keyed by token + route.
(Source: sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization)
Why it works¶
- Stateless compute (Lambda) on an event-driven trigger (API Gateway) matches the per-request authorization workload shape; scales with API traffic, pays per invocation.
- Decision caching at API Gateway hides the Lambda invocation entirely on cache hit — submillisecond end-to-end, with the full evaluation only on cache miss.
- Decouples authorization from backend code. Backends don't embed authorization; the authorizer owns it. Backend changes don't touch authz, authz changes don't touch backends.
- Works across protocols. Same authorizer in front of REST, HTTP, and WebSocket API Gateway variants.
- Natural integration with policy-engine managed services. AVP + Cedar, OPA, Oso Cloud, Permify, Cerbos — any HTTP-callable policy engine fits.
Typical architecture (Convera production shape)¶
Client → API Gateway → [cache hit?] → forward to backend
↓ (miss)
Lambda authorizer
├── Validate JWT signature + expiry
├── Extract claims (role, tenant_id, etc.)
├── Look up policy store (static or tenant-indexed)
├── Call AVP.IsAuthorized
├── Build IAM policy (Allow/Deny)
└── Return → API Gateway caches + enforces
Convera reuses this shape across four modes:
- Customer UI + API — single policy store, policies keyed by
principal.role. - Internal customer-service — separate policy store, Okta-federated identity.
- Machine-to-machine — per-service policy store, client-credentials token.
- Multi-tenant SaaS — per-tenant policy store lookup via
DynamoDB
tenant_id → policy-store-id(patterns/per-tenant-policy-store).
Trade-offs¶
- Cold-start latency on cache miss. Not a blocker for repeat traffic (decision cache absorbs it) but the first call of the day after idle scale-down pays Lambda cold-start plus AVP.
- Cache TTL = policy-change propagation floor. If TTL = 5m, a policy tightening takes up to 5m to take effect. Must be tuned against policy-change frequency and tolerated staleness.
- Token opacity. The authorizer needs access to whatever attributes the policies reference. If those aren't in the JWT (enrichment), the authorizer does a second lookup — reinstating the cost enrichment was supposed to eliminate.
- Authorizer failure modes. On Lambda error, API Gateway can fail-open or fail-closed; fail-closed is the safe default for production. Not discussed in the Convera source.
Canonical instantiations on this wiki¶
- Convera + AVP + Cedar — four authorization modes on one authorizer shape; submillisecond latency at thousands of requests/sec. (Source: sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization)
Related¶
- systems/aws-lambda, systems/amazon-api-gateway — substrate.
- systems/amazon-verified-permissions — the policy engine the authorizer calls.
- concepts/fine-grained-authorization — what this pattern delivers at API edges.
- concepts/authorization-decision-caching — the performance companion.
- patterns/pre-token-generation-hook — the token-enrichment half; supplies attributes the authorizer consumes.
- patterns/webhook-triggered-verifier-lambda — structurally adjacent pattern (stateless serverless verifier between an edge event and a gate) but operates on a different event shape (webhook vs API call).