Amazon API Gateway · Arazzo Workflow

AWS API Gateway Secure an HTTP API with an Authorizer

Version 1.0.0

Create an HTTP API, attach an authorizer, and add a route that uses it.

1 workflow 1 source API 1 provider
View Spec View on GitHub API GatewayCloudRESTHTTPWebSocketServerlessMCPAgentCoreDeveloper PortalArazzoWorkflows

Provider

aws-api-gateway

Workflows

secure-http-api-authorizer
Create an API, an authorizer, and a route protected by it.
Creates an HTTP API and an authorizer, then branches on the authorizer type to create a route with the appropriate authorization type.
4 steps inputs: authorizerName, authorizerType, authorizerUri, identitySource, name, routeKey outputs: apiId, authorizerId, jwtRouteId, requestRouteId
1
createApi
$sourceDescriptions.apiGatewayV2.createApi
Create the HTTP API container.
2
createAuthorizer
createAuthorizer
Create the authorizer that will guard routes on the API.
3
createJwtRoute
createRoute
Create a route protected by JWT authorization.
4
createRequestRoute
createRoute
Create a route protected by a custom (REQUEST) Lambda authorizer.

Source API Descriptions

openapi
apiGatewayV2 https://raw.githubusercontent.com/api-evangelist/aws-api-gateway/refs/heads/main/openapi/aws-api-gateway-v2-openapi.yml

Arazzo Workflow Specification

aws-api-gateway-secure-http-api-authorizer-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: AWS API Gateway Secure an HTTP API with an Authorizer
  summary: Create an HTTP API, attach an authorizer, and add a route that uses it.
  description: >-
    Adds request- or JWT-based authorization to an Amazon API Gateway V2 HTTP
    API. The workflow creates an API, creates an authorizer, and then creates a
    route whose authorization type reflects the authorizer type. Because createApi
    collides with the V1 description it is addressed through the V2 source. Every
    step spells out its request inline so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: apiGatewayV2
  url: ../openapi/aws-api-gateway-v2-openapi.yml
  type: openapi
workflows:
- workflowId: secure-http-api-authorizer
  summary: Create an API, an authorizer, and a route protected by it.
  description: >-
    Creates an HTTP API and an authorizer, then branches on the authorizer type
    to create a route with the appropriate authorization type.
  inputs:
    type: object
    required:
    - name
    - authorizerName
    - authorizerType
    - identitySource
    - routeKey
    properties:
      name:
        type: string
        description: Name of the HTTP API.
      authorizerName:
        type: string
        description: Name of the authorizer.
      authorizerType:
        type: string
        description: Type of authorizer (REQUEST or JWT).
      identitySource:
        type: array
        description: Identity sources the authorizer reads (e.g. ["$request.header.Authorization"]).
        items:
          type: string
      authorizerUri:
        type: string
        description: URI of the Lambda authorizer (used for REQUEST authorizers).
      routeKey:
        type: string
        description: Route key for the protected route (e.g. "GET /secure").
  steps:
  - stepId: createApi
    description: Create the HTTP API container.
    operationId: $sourceDescriptions.apiGatewayV2.createApi
    requestBody:
      contentType: application/json
      payload:
        Name: $inputs.name
        ProtocolType: HTTP
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      apiId: $response.body#/ApiId
  - stepId: createAuthorizer
    description: Create the authorizer that will guard routes on the API.
    operationId: createAuthorizer
    parameters:
    - name: api_id
      in: path
      value: $steps.createApi.outputs.apiId
    requestBody:
      contentType: application/json
      payload:
        Name: $inputs.authorizerName
        AuthorizerType: $inputs.authorizerType
        IdentitySource: $inputs.identitySource
        AuthorizerUri: $inputs.authorizerUri
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      authorizerId: $response.body#/AuthorizerId
      authorizerType: $response.body#/AuthorizerType
    onSuccess:
    - name: jwtAuthorizer
      type: goto
      stepId: createJwtRoute
      criteria:
      - context: $response.body
        condition: $.AuthorizerType == "JWT"
        type: jsonpath
    - name: requestAuthorizer
      type: goto
      stepId: createRequestRoute
      criteria:
      - context: $response.body
        condition: $.AuthorizerType != "JWT"
        type: jsonpath
  - stepId: createJwtRoute
    description: Create a route protected by JWT authorization.
    operationId: createRoute
    parameters:
    - name: api_id
      in: path
      value: $steps.createApi.outputs.apiId
    requestBody:
      contentType: application/json
      payload:
        RouteKey: $inputs.routeKey
        AuthorizationType: JWT
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      routeId: $response.body#/RouteId
    onSuccess:
    - name: done
      type: end
  - stepId: createRequestRoute
    description: Create a route protected by a custom (REQUEST) Lambda authorizer.
    operationId: createRoute
    parameters:
    - name: api_id
      in: path
      value: $steps.createApi.outputs.apiId
    requestBody:
      contentType: application/json
      payload:
        RouteKey: $inputs.routeKey
        AuthorizationType: CUSTOM
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      routeId: $response.body#/RouteId
  outputs:
    apiId: $steps.createApi.outputs.apiId
    authorizerId: $steps.createAuthorizer.outputs.authorizerId
    jwtRouteId: $steps.createJwtRoute.outputs.routeId
    requestRouteId: $steps.createRequestRoute.outputs.routeId