Serverless: Integrating AWS ApiGateway with SQS with Authentication

This is a short but sweet technical guide on how to send messages directly from AWS APIGateway to SQS with authentication using Serverless Framework. I’m writing this because when I had to transform a synchronous API into an asynchronous one, I didn’t find many resources on this exact problem.

Install the serverless-apigateway-service-proxy plugin

Out of the box, Serverless does not support this kind of integration. Thankfully, someone has already done the hard work of creating a plugin to do the job.

serverless plugin install -n serverless-apigateway-service-proxy

Create your queue resources

Before we get started with integrating APIGW with SQS let’s create the queue that we will be sending our messages.

The dead letter queue is not required but is a recommended addition. The visibility timeout should be at least 6 times the timeout of the downstream service that will read the messages. In this case, our downstream service is a lambda function with a timeout of 30 seconds.

Configure the API Gateway Service Proxy

The plugin itself will do most of the heavy lifting but we still do need to put in some work.

Sample config

You’ll find that the configuration above isn’t too different from the sample given in the documentation. The only thing I’d like to highlight is the template customization. Though VTL is a very powerful templating language I found it difficult to convert a map to a JSON string since AWS did not provide a util function for it. This made it difficult to include other information in the SQS message such as an authorizer context. Luckily there’s still the option of adding it into the message attributes — which is the route I went with.

Adding a custom authorizer

The plugin also covers adding an authorizer for the API but its documentation did not go too in-depth into adding a custom authorizer.

If you have an existing authorizer and you have knowledge of its ID then you can just add the authorizer’s ID into the configuration like this:

I, personally, wouldn’t recommend this.

Serverless allows you to attach an authorizer for your APIs and if you’ve already done that you can get the reference of that authorizer.

In our case, we had a lambda function that belonged to another stack which I can reference using its ARN. With that, we can create a new authorizer resource in our stack that uses that lambda function.

We can then get the ID of this authorizer using the ref intrinsic function.

And just like that your API can now send messages to SQS with authorization.

Adding the lambda trigger

At this point, the messages in your queue can be read by any other service (that’s up to you) but to finish this off let’s just add a lambda trigger to have a lambda function ingest the queue messages.

And that’s it. The actual code for reading the message is no longer covered in this article but you can get started here.

Thank you for reading. I hope you found this helpful. If you found anything here to be inaccurate just leave a comment.