Lambda authorizer and Parameter Store dilemma

  • I've been using an authorizer in front of all my lambdas.

    The authorizer simply tries to decode the bearer token received, and if it's decoded correctly, authorizes the integration lambda to execute (and passes the user id to the event).

    My issue is that I realized I'm spending a lot of money in Parameter Store retrieval and decryption and just figured out why.

    I'm essentially retrieving the parameters both inside the authorizer and inside the integration (basically twice every call).

    So I was wondering which solution to use:

    - To not decode the received token inside the authorizer, but simply perform basic validation (correct header, content type, etc.), and instead, decode it only once inside the actual lambda function, and return unauthorized if it's not valid (this saves 1 parameter store call).

    - Retrieve the parameter inside the authorizer, decode the authorization token (if present) and, since the authorizer now has access to the parameter, pass it to the resource object so the lambda function will have access to it (through the event). My question is, how safe is this procedure? To pass secrets from one lambda function to another via the event?

    Can't think of other solutions right now, to be honest. What do you think?

  • Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • This was removed by the editor as SPAM

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply