Great articles Marcia. Particularly liked your video on authorization using JWT tokens. I was able to get a similar setup using Python. Will post an article on that shortly.
Couple of questions:
- In that video you are using ‘secret’ as the secret. Is there a way to pass a really secure secret to the authorizer? Is Environment variable the only way to pass it?
- It appears that even though you can protect a Lambda function using an authorizer for calls coming from the API gateway, other Lambdas can call it directly without any hindrance. Do you have any thoughts on how to prevent that? I had to call the token check within the HelloWorld Lambda as well to prevent unauthorized call. I would like to keep the authorization separate irrespective of whether the call is coming from API Gateway or internally. Any thoughts?