Acquiring contextual information on users accessing your Lambda

Instructions on how to use the INJECT_CONTEXT variable to retrieve contextual information on users accessing your Lambda function

Note

Using INJECT_CONTEXT is the only way to find out details on the users if they use opaque tokens to get authorized to Lambda. Unlike JWT tokens, opaque tokens cannot be decoded to retrieve information on the users.

Prerequisites

Add the variable

  1. In your browser, navigate and log in to AWS Management Console.

  2. In the AWS Management Console view, search for lambda using the Find Services field.

  3. In the Functions view, select a function that to want to configure.

  4. In the view of your function, navigate to the Environment variables section and select Edit.

  5. In the Edit environment variables view, select Add environment variable.

  6. Enter INJECT_CONTEXT as a key and true as its value. Select Save to proceed.

Result

Your function has been added the new variable and you can start using INJECT_CONTEXT for your purposes.

Retrieve info on the user

  1. Make sure

    1. You have API that is set to invoke another Lambda.

    2. The other Lambda that your API invokes has

      • Integration type set to Lambda Function
      • Use Lambda Proxy integration enabled (so that the integration request type is LAMBDA_PROXY).
  2. Go to the event object to access a JSON file.

    def lambda_handler(event, context)

    {
    "resource": "/",
    "path": "/",
    "httpMethod": "GET",
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip,deflate",
        "Authorization": "bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjIxNjMyNDU0NjAzMzcyMTEzNzk1MjI2MTY2NjI3NTI4Mjk4OTAwMiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiIxIiwiYWlkIjoiZGVmYXVsdCIsImFtciI6WyJwd2QiXSwiYXVkIjpbImJ1dm9zbjg0bXEwZG52YzMwc2wwIiwic3BpZmZlOi8vZGV2LmFjcC5pbnQuY2xvdWRlbnRpdHkuY29tL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQvYnV2b3NmODRtcTBkbnZjMzBydWciXSwiZXhwIjoxNjA2MzkyOTUwLCJpYXQiOjE2MDYzODkzNDksImlkcCI6ImRlZmF1bHQiLCJpc3MiOiJodHRwczovL2Rldi5hY3AuaW50LmNsb3VkZW50aXR5LmNvbTo4NDQzL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQiLCJqdGkiOiJlNjcwZjQyMS1iMDQ3LTQ5MzItYTBiMi0zYTQzM2FkNzk0NjkiLCJuYmYiOjE2MDYzODkzNDksInNjcCI6WyJhbWF6b25fYXBpX3Njb3BlIl0sInN0IjoicHVibGljIiwic3ViIjoidXNlciIsInRpZCI6InFreTFmemhnOG9vNmcxMGRseXFwIn0.RlMN2qSzpb9wIR45EBpF41fvCY0Rlc5cgheA6M2oq_1eWOs_or_cBBsBOugehpnApYEIoNMjSbMV76FmAg5ekQ",
        "Host": "v4npdwpiab.execute-api.us-east-1.amazonaws.com",
        "jaeger-baggage": "correlation-id=integration-tests-861d4f6a-c28a-438a-9497-349ee9d417ca",
        "X-Amzn-Trace-Id": "Root=1-5fbf8e67-0d372b7e46b9eb9b611d3a8f",
        "X-Forwarded-For": "54.172.92.11",
        "X-Forwarded-Port": "443",
        "X-Forwarded-Proto": "https"
    },
    "multiValueHeaders": {
        "Accept": [
        "*/*"
        ],
        "Accept-Encoding": [
        "gzip,deflate"
        ],
        "Authorization": [
        "bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjIxNjMyNDU0NjAzMzcyMTEzNzk1MjI2MTY2NjI3NTI4Mjk4OTAwMiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiIxIiwiYWlkIjoiZGVmYXVsdCIsImFtciI6WyJwd2QiXSwiYXVkIjpbImJ1dm9zbjg0bXEwZG52YzMwc2wwIiwic3BpZmZlOi8vZGV2LmFjcC5pbnQuY2xvdWRlbnRpdHkuY29tL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQvYnV2b3NmODRtcTBkbnZjMzBydWciXSwiZXhwIjoxNjA2MzkyOTUwLCJpYXQiOjE2MDYzODkzNDksImlkcCI6ImRlZmF1bHQiLCJpc3MiOiJodHRwczovL2Rldi5hY3AuaW50LmNsb3VkZW50aXR5LmNvbTo4NDQzL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQiLCJqdGkiOiJlNjcwZjQyMS1iMDQ3LTQ5MzItYTBiMi0zYTQzM2FkNzk0NjkiLCJuYmYiOjE2MDYzODkzNDksInNjcCI6WyJhbWF6b25fYXBpX3Njb3BlIl0sInN0IjoicHVibGljIiwic3ViIjoidXNlciIsInRpZCI6InFreTFmemhnOG9vNmcxMGRseXFwIn0.RlMN2qSzpb9wIR45EBpF41fvCY0Rlc5cgheA6M2oq_1eWOs_or_cBBsBOugehpnApYEIoNMjSbMV76FmAg5ekQ"
        ],
        "Host": [
        "v4npdwpiab.execute-api.us-east-1.amazonaws.com"
        ],
        "jaeger-baggage": [
        "correlation-id=integration-tests-861d4f6a-c28a-438a-9497-349ee9d417ca"
        ],
        "X-Amzn-Trace-Id": [
        "Root=1-5fbf8e67-0d372b7e46b9eb9b611d3a8f"
        ],
        "X-Forwarded-For": [
        "54.172.92.11"
        ],
        "X-Forwarded-Port": [
        "443"
        ],
        "X-Forwarded-Proto": [
        "https"
        ]
    },
    "queryStringParameters": null,
    "multiValueQueryStringParameters": null,
    "pathParameters": null,
    "stageVariables": null,
    "requestContext": {
        "resourceId": "is27l9o1a2",
        "authorizer": {
        "authnCtx": "eyJhY3IiOiIxIiwiYWlkIjoiZGVmYXVsdCIsImFtciI6WyJwd2QiXSwiYXVkIjpbImJ1dm9zbjg0bXEwZG52YzMwc2wwIiwic3BpZmZlOi8vZGV2LmFjcC5pbnQuY2xvdWRlbnRpdHkuY29tL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQvYnV2b3NmODRtcTBkbnZjMzBydWciXSwiZXhwIjoxNjA2MzkyOTUwLCJpYXQiOjE2MDYzODkzNDksImlkcCI6ImRlZmF1bHQiLCJpc3MiOiJodHRwczovL2Rldi5hY3AuaW50LmNsb3VkZW50aXR5LmNvbTo4NDQzL3FreTFmemhnOG9vNmcxMGRseXFwL2RlZmF1bHQiLCJqdGkiOiJlNjcwZjQyMS1iMDQ3LTQ5MzItYTBiMi0zYTQzM2FkNzk0NjkiLCJuYmYiOjE2MDYzODkzNDksInNjcCI6WyJhbWF6b25fYXBpX3Njb3BlIl0sInN0IjoicHVibGljIiwic3ViIjoidXNlciIsInRpZCI6InFreTFmemhnOG9vNmcxMGRseXFwIn0=",
        "principalId": "user",
        "integrationLatency": 9637
        },
        "resourcePath": "/",
        "httpMethod": "GET",
        "extendedRequestId": "WnMwMGmXIAMFkgw=",
        "requestTime": "26/Nov/2020:11:15:51 +0000",
        "path": "/stage/",
        "accountId": "863611872174",
        "protocol": "HTTP/1.1",
        "stage": "stage",
        "domainPrefix": "v4npdwpiab",
        "requestTimeEpoch": 1606389351579,
        "requestId": "aea1cf05-c864-452c-a9cd-90ca90f992ae",
        "identity": {
        "cognitoIdentityPoolId": null,
        "accountId": null,
        "cognitoIdentityId": null,
        "caller": null,
        "sourceIp": "54.172.92.11",
        "principalOrgId": null,
        "accessKey": null,
        "cognitoAuthenticationType": null,
        "cognitoAuthenticationProvider": null,
        "userArn": null,
        "userAgent": null,
        "user": null
        },
        "domainName": "v4npdwpiab.execute-api.us-east-1.amazonaws.com",
        "apiId": "v4npdwpiab"
    },
    "body": null,
    "isBase64Encoded": false
    }
    
  3. In the JSON file, identify authnCtx and copy its value.

    Note

    The value of authnCtx is encoded in the base64 format.

  4. Decode the value of authnCtx using, for example, BASE64 Decode and Encode.

    Output

    The decoded value of authnCtx includes information on tokens applied by the users to get authorized to Lambda.

    {
    "acr": "1",
    "aid": "default",
    "amr": [
        "pwd"
    ],
    "aud": [
        "buvosn84mq0dnvc30sl0",
        "spiffe://dev.acp.int.cloudentity.com/qky1fzhg8oo6g10dlyqp/default/buvosf84mq0dnvc30rug"
    ],
    "exp": 1606392950,
    "iat": 1606389349,
    "idp": "default",
    "iss": "https://dev.acp.int.cloudentity.com:8443/qky1fzhg8oo6g10dlyqp/default",
    "jti": "e670f421-b047-4932-a0b2-3a433ad79469",
    "nbf": 1606389349,
    "scp": [
        "amazon_api_scope"
    ],
    "st": "public",
    "sub": "user",
    "tid": "qky1fzhg8oo6g10dlyqp"
    }
    
  5. In the data decoded from authnCtx, identify the information you need (for example, on scopes or on the environment) and use it for your purposes.

Result

You have configured your Lambda to use INJECT_CONTEXT and you have used it to acquire information on the user.