AWS IoT Core implements custom authentication and authorization schemes by using custom authorizers. A custom authorizer is an AWS IoT Core resource that gives you the flexibility to define and implement the rules and policies based on your specific requirements. To create a custom authorizer with step-by-step instructions, see Tutorial: Creating a custom authorizer for AWS IoT Core.
Each authorizer consists of the following components:
-
Name: A unique user-defined string that identifies the authorizer.
-
Lambda function ARN: The Amazon Resource Name (ARN) of the Lambda function that implements the authorization and authentication logic.
-
Token key name: The key name used to extract the token from the HTTP headers, query parameters, or MQTT CONNECT user name in order to perform signature validation. This value is required if signing is enabled in your authorizer.
-
Signing disabled flag (optional): A Boolean value that specifies whether to disable the signing requirement on credentials. This is useful for scenarios where signing the credentials doesn't make sense, such as authentication schemes that use MQTT user name and password. The default value is
false, so signing is enabled by default. -
Token signing public key: The public key that AWS IoT Core uses to validate the token signature. Its minimum length is 2,048 bits. This value is required if signing is enabled in your authorizer.
Lambda charges you for the number of times your Lambda function runs and for the
amount of time it takes for the code in your function to execute. For more
information about Lambda pricing, see Lambda Pricing
Note
If you leave signing enabled, you can prevent excessive triggering of your Lambda by unrecognized clients. Consider this before you disable signing in your authorizer.
Note
The Lambda function timeout limit for custom authorizer is 5 seconds.
In this chapter:
