I'm relatively new to AWS and I'm creating a multi tenant API using API gateway, lambda, and dynamodb. I want to make sure each tenant can only access their own data. I'll be partitioning the dynamodb table data based off orgId's (tenant ids)that I generated and assigned. Right now I have basic API keys/usage plans set up with API gateway, but I'm having trouble figuring out how best to determine which tenant called the api based off the api key they used. Should I retrieve the api key from the request header and use that to find the right orgId to partition the data? Or is there some other better way to handle this situation?

CodePudding user response：

A better way to handle tenants' isolation can be using Lambda authorizer IAM policies that are specific to the given tenant aws blog article

CodePudding user response：

This is how i would handle authentication and isolation ( here I am delegating Authorization and authentication to auth0).

1. generate jwt auth token from auth0.
2. use a lambda authorizer.
3. that lambda authorizer will verify jwt token against the aut0 api. That authorization code will be dealt by your authorizer.
4. based on the jwt token if it passes it will be generate an allow iam policy, if it's fabricate or incorrect token it will generate deny iam policy.

Note:- lambda authorizer will be called before every every request to actual lambda by api gateway. You can also cache responses by authorizer to reduce cost.

For tenants ids, authorizer will pass token to your backend code inside header called as authorization which you can decode using her library and extract sub claim present in the jwt token which will act as indentifier for the dynamodb/user.

Do let me know if you need help with the code for authorizer.