AWS lambda : Passing data from custom authorizer to business lambda

aws lambda authorizer example
serverless custom authorizer
lambda authorizer jwt
aws api gateway multiple authorizers
lambda authorizer vs cognito
lambda authorizer context
lambda authorizer callback
cognito custom authorizer

I am using custom authentication (with custom authorizer) for accessing AWS lambda. The authorization process works fine. But I have a problem to transmit data (ex principalId) between the authorizer lambda and the business lambda. All my lambdas are developed in JS. As explain in AWS doc, in the authorizer lambda, I add few simple fields (principalId in the code below) in context field of the Auth response. But in my business lambda, I am not able to get these fields. The AWS documentation talks about $context variable.

First, could you explain me if the $context variable is another variable or the same variable than the context variable received in parameter of the JS function?

Second, could you explain me how to get in my business lambda the data field (ex: principalId) provided by the authorizer?


The policy document of the authorizer can be enriched with a context where you can put your custom data. That data will be provided to the business lambda via the event.

Here is an example of a policy document:

const policy = {
    context: {
        customKey: 'payload data',
    policyDocument: {
        Statement: [{
            Action: 'execute-api:Invoke',
            Effect: effect,
            Resource: resource,
        Version: '2012-10-17',
    principalId: sub,

The context contains a "customKey" with payload data as a string.

The mapping template for your API then should look like this:

  "customKey": "$context.authorizer.customKey"

Finally in your business lambda you can access the value of your customKey via the event:

exports.handler = async (event, context) => {



This should log "payload data" according to my example.

Notice that you cannot set a JSON object or array as a valid value of any key in the context map according to the documentation

The Complete Guide to Custom Authorizers with AWS Lambda and , I have a custom authorizer lambda function, in which I am decoding a JWT token. This JWT token has a custom claim that I would like to pass to the underlying Context section should be fine as long as there is a way to extract values. Finally in your business lambda you can access the value of your  The biggest cost of a custom authorizer is that there is the added latency in your API Gateway calls. Most people are familiar with the cold start problem with AWS Lambda. Since your custom authorizer is a Lambda function, you could be paying this penalty twice — once on the custom authorizer, and once on your core function.

Passing Custom Variable from Custom, Just like normal custom authorizers, API Gateway can cache the policy With enhanced request authorizers, however, you can also specify the values that form the sourceIp" authorizerUri: "arn:aws:apigateway:us-east-1:lambda:path/ AWS News Big Data Business Productivity Compute Contact Center  In this tutorial, we will give you a basic understanding of how an AWS Lambda authorizer works and how you can pass information from it to an Amazon API Gateway and other Lambda functions. To authorize users, we use a federated login, namely Google Sign-in, to produce a small full-working example.

In addition to Alexis answer, principalId - is currently the only param which can be passed from custom authorizer to a Lambda (as of today). However, the workaround for passing custom params is to stringify JSON parameters into the principleId. The discussion on this matter is here

Using Enhanced Request Authorizers in Amazon API Gateway , Defining custom authorization code is not the only way to implement Using a Lambda authorizer with third-party tokens in API Gateway can provide the context) { // Declare Policy var iamPolicy = null; // Capture raw token and await verifyAccessToken(token).then(data => { // Retrieve token scopes var  Output from an Amazon API Gateway Lambda authorizer A Lambda authorizer function's output is a dictionary-like object, which must include the principal identifier ( principalId ) and a policy document ( policyDocument ) containing a list of policy statements.

Use AWS Lambda authorizers with a third-party identity provider to , Custom authorizers must return AWS Identity and Access Management (IAM) policies. API Gateway invokes the Lambda authorizer by passing in the Lambda event."Unable to load encryption key"); } else { key = data. AWS News Big Data Business Productivity Compute Contact Center  To pass custom headers from an API Gateway API to a Lambda function, use curl to send a message to the API using a body mapping template to extract any custom headers added to the message. The API sends the updated message to a Lambda function to process the headers, returning one or more header values from the original message.

Introducing custom authorizers in Amazon API Gateway, A Lambda authorizer function's output is a dictionary-like object, which must include the Stages · Custom domain names You can safely pass the JWT token in a request header, instead. For more information, see $context Variables for data models, authorizers, mapping templates, and CloudWatch access logging. The client calls a method on an API Gateway API method, passing a bearer token or request parameters. API Gateway checks whether a Lambda authorizer is configured for the method. If it is, API Gateway calls the Lambda function.

Output from an Amazon API Gateway Lambda authorizer, Cognito Enhanced Context properties get passed to the targe Adding something like this to the template defined in lib/plugins/aws/package/ im also having issues passing info from custom authorizer to the called lambda. the user data every function whereas authorizer could just pass the user data  This way, we can set our test data in event.json and can execute our Lambda function whereas in the production environment, we can pass data, for example as POST in the HTTP request (AWS API Gateway Endpoint) and that can be accessed via the same way event <parameter>

  • To clarify the answer, it is not available in the context variable in the JS function. It is in the event. The event is just a JSON map matching either you rmapping template, or a default format for the 'proxy' integration.
  • How and where do you define the mapping template ?
  • Go to the endpoint definition and enter in the Integration Request section. Then in Body Mapping Templates, there are various options to define a generic integration or a specific one depending on the request content type.