Authorizer
apigatewayv2.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | apigatewayv2-controller/apis/v1alpha1#Authorizer |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Authorizer |
| ListKind | AuthorizerList |
| Plural | authorizers |
| Singular | authorizer |
Represents an authorizer.
Spec
apiID: string
apiRef:
from:
name: string
namespace: string
authorizerCredentialsARN: string
authorizerPayloadFormatVersion: string
authorizerResultTTLInSeconds: integer
authorizerType: string
authorizerURI: string
enableSimpleResponses: boolean
identitySource:
- string
identityValidationExpression: string
jwtConfiguration:
audience:
- string
issuer: string
name: string
| Field | Description |
|---|---|
| apiID Optional | string The API identifier. |
| apiRef Optional | object AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference type to provide more user friendly syntax for references using ‘from’ field Ex: APIIDRef: from: name: my-api |
| apiRef.from Optional | object AWSResourceReference provides all the values necessary to reference another k8s resource for finding the identifier(Id/ARN/Name) |
| apiRef.from.name Optional | string |
| apiRef.from.namespace Optional | string |
| authorizerCredentialsARN Optional | string Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. To specify an IAM role for API Gateway to assume, use the role’s Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, don’t specify this parameter. Supported only for REQUEST authorizers. |
| authorizerPayloadFormatVersion Optional | string Specifies the format of the payload sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. Supported values are 1.0 and 2.0. To learn more, see Working with AWS Lambda authorizers for HTTP APIs (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html). |
| authorizerResultTTLInSeconds Optional | integer The time to live (TTL) for cached authorizer results, in seconds. If it equals 0, authorization caching is disabled. If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. Supported only for HTTP API Lambda authorizers. |
| authorizerType Required | string The authorizer type. Specify REQUEST for a Lambda function using incoming request parameters. Specify JWT to use JSON Web Tokens (supported only for HTTP APIs). |
| authorizerURI Optional | string The authorizer’s Uniform Resource Identifier (URI). For REQUEST authorizers, this must be a well-formed Lambda function URI, for example, arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:{account_id}:function:{lambda_function_name}/invocations. In general, the URI has this form: arn:aws:apigateway:{region}:lambda:path/{service_api} , where {region} is the same as the region hosting the Lambda function, path indicates that the remaining substring in the URI should be treated as the path to the resource, including the initial /. For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations. Supported only for REQUEST authorizers. |
| enableSimpleResponses Optional | boolean Specifies whether a Lambda authorizer returns a response in a simple format. By default, a Lambda authorizer must return an IAM policy. If enabled, the Lambda authorizer can return a boolean value instead of an IAM policy. Supported only for HTTP APIs. To learn more, see Working with AWS Lambda authorizers for HTTP APIs (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html) |
| identitySource Required | array The identity source for which authorization is requested. For a REQUEST authorizer, this is optional. The value is a set of one or more mapping expressions of the specified request parameters. The identity source can be headers, query string parameters, stage variables, and context parameters. For example, if an Auth header and a Name query string parameter are defined as identity sources, this value is route.request.header.Auth, route.request.querystring.Name for WebSocket APIs. For HTTP APIs, use selection expressions prefixed with $, for example, $request.header.Auth, $request.querystring.Name. These parameters are used to perform runtime validation for Lambda-based authorizers by verifying all of the identity-related request parameters are present in the request, not null, and non-empty. Only when this is true does the authorizer invoke the authorizer Lambda function. Otherwise, it returns a 401 Unauthorized response without calling the Lambda function. For HTTP APIs, identity sources are also used as the cache key when caching is enabled. To learn more, see Working with AWS Lambda authorizers for HTTP APIs (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html). For JWT, a single entry that specifies where to extract the JSON Web Token (JWT) from inbound requests. Currently only header-based and query parameter-based selections are supported, for example $request.header.Authorization. |
| identitySource.[] Required | string |
| jwtConfiguration Optional | object Represents the configuration of a JWT authorizer. Required for the JWT authorizer type. Supported only for HTTP APIs. |
| jwtConfiguration.audience Optional | array |
| jwtConfiguration.audience.[] Required | string |
| name Required | string The name of the authorizer. |
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
authorizerID: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| authorizerID Optional | string The authorizer identifier. |
| conditions Optional | array All CRs managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |