search

AWS Lambda Custom Integration

Learn how to integrate an AWS Lambda Custom Integration with Apono

AWS Lambda enables you to build and connect cloud services and internal web apps by writing single-purpose functions that are attached to events emitted from your cloud infrastructure and services.

Its serverless architecture frees you to write, test, and deploy functions quickly without having to manage infrastructure setup.

With this integration, you can connect your internal applications to AWS Lambda functions and manage access to those applications with Apono.

hashtag
Prerequisites

Before starting this integration, create the items listed in the following table.

Item
Description

Apono Connector

On-prem connection serving as a bridge between your AWS Lambda functions and Apono Minimum Required Version: 1.4.1 Use the following steps to update an existing connector.

Lambda Function

Named function set up within AWS Lambdaarrow-up-right

When creating the Lambda function, apply the tagarrow-up-right apono-connector-access: "true".

See: Sample Lambda Function.

chevron-rightSample Lambda Functionhashtag
function listResources(params) {
  return {
    resources: [
      {
        'id': 'resource1',
        'name': 'Resource 1',
        'type': params.resource_type,
        'metadata': {
          'key1': 'value1'
        }
      },
      {
        'id': 'resource2',
        'name': 'Resource 2',
        'type': params.resource_type,
        'metadata': {
          'key2': 'value2'
        }
      },
      {
        'id': 'resource3',
        'name': 'Resource 3',
        'type': params.resource_type,
        'metadata': {
          'key3': 'value3'
        }
      },
    ],
    permissions: [
      {
        'id': 'admin',
        'name': 'Admin'
      },
      {
        'id': 'reader',
        'name': 'Reader'
      }
    ]
  };
}

function grantAccess(params) {
  const username = params.username;
  const grantId = params.grant_id;
  const resources = params.resources;
  const permission = params.permission;
  
  const param1 = params.custom_parameters.param1
  const param2 = params.custom_parameters.param2

  console.log(param1)
  console.log(param2)
  
  return {
    status: 'ok'
  };
}

function revokeAccess(params) {
  const username = params.username;
  const grantId = params.grant_id;
  const resources = params.resources;
  const permission = params.permission;

  const param1 = params.custom_parameters.param1
  const param2 = params.custom_parameters.param2
  
  return {
    status: 'ok'
  };
}

function createCredentials(params) {
  const username = params.username;
  const grantId = params.grant_id;
  const resources = params.resources;
  
  const param1 = params.custom_parameters.param1
  const param2 = params.custom_parameters.param2
  
  return {
    status: 'ok'
  };
}

export const handler = async (event) => {
  const params = event.params;
  
  switch (event.event_type) {
    case 'create-credentials':
      return createCredentials(params);
    case 'list-resources':
      return listResources(params);
    case 'grant-access':
      return grantAccess(params);
    case 'revoke-access':
      return revokeAccess(params);
    case 'create-credentials':
      return {
        status: 'ok',
        secret: 'created-credentials-secret'
      }
    case 'reset-credentials':
      return {
        status: 'ok',
        secret: 'reset-credentials-secret'
      }
    default:
      return {
        status: 'active'
      };
  }
};

listResources

Parameter
Description

resources[]

Manageable resources to display in Apono that users can be granted access to

Each item represents a single object the integration can grant or revoke access to.

permissions[]

Permissions to resources that can be granted to users, such as Read and Write

resources[]

Parameter
Description

id

Unique resource identifier in the source system (such as ARN) that you receive back in grantAccess or revokeAccess

name

Human-readable resource name to show in Apono

type

Resource type or service

The value should always be the resource type (params.resource_type) that was passed in the request.

metadata

Tags or context associated with the resource

Examples:

  • "environment" = "prod"

  • "region" = "us-east-1"

permissions[]

Parameter
Description

id

Integration-defined permission key you will receive back later in grantAccess

name

Display name for the permission shown in Apono to the requester

grantAccess

Parameter
Description

username

The Grantee’s email

grant_id

Apono’s unique ID for the request

resources

Resource IDs selected by the requester

permission

Permission ID chosen by the requester

custom_parameters.param1 custom_parameters.param2

Custom parameters defined for the Apono integration

revokeAccess

Parameter
Description

username

The Grantee’s email

grant_id

Apono’s unique ID for the request

resources

Resources previously granted

permission

Permission to remove

custom_parameters.param1 custom_parameters.param2

Custom parameters defined for the Apono integration

createCredentials

Parameter
Description

username

The Grantee’s email

grant_id

Apono’s unique ID for the grantee

resources

One or more target resources for which credentials should be created

permission

Permission to remove

custom_parameters.param1 custom_parameters.param2

Custom parameters defined for the Apono integration

hashtag
Integrate an AWS Lambda Custom Integration

AWS Lambda Custom Integration tile
circle-check

You can also use the steps below to integrate with Apono using Terraform.

In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

  1. On the Catalogarrow-up-right tab, click AWS Lambda Custom Integration. The Connect Integration page appears.

  2. Under Discovery, click Next. The Apono connector section expands.

  3. From the dropdown menu, select a connector.

circle-info

If the desired connector is not listed, click + Add new connector and follow the instructions for creating an AWS connector.

  1. Click Next. The Integration Config section expands.

  2. Define the Integration Config settings.

    Setting
    Description

    Integration Name

    Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

    Custom Parameters

    Key-value pairs to send to the lambda function For example, you can provide a lambda function with a redirect URL that is used for internal provisioning access and passed as part of the action requests.

    Region

    Region of the AWS Lambda instance

    Function Name

    Named of the AWS Lambda function

  3. Click Next. The Get more with Apono section expands.

  4. Define the Get more with Apono settings.

    Setting
    Description

    Credential Rotation

    (Optional) Number of days after which the database credentials must be rotated Learn more about the Credentials Rotation Policy.

    User cleanup after access is revoked (in days)

    (Optional) Defines the number of days after access has been revoked that the user should be deleted

    Learn more about Periodic User Cleanup & Deletion.

    Custom Access Details

    (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

    Integration Owner

    (Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:

    1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.

    2. From the Value dropdown menu, select one or multiple users or groups.

    NOTE: When Resource Owner is defined, an Integration Owner must be defined.

    Resource Owner

    (Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:

    1. Enter a Key name. This value is the name of the tag created in your cloud environment.

    2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

    NOTE: When this setting is defined, an Integration Owner must also be defined.

  5. Click Confirm.

chevron-right💡Are you integrating with Apono using Terraform?hashtag

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

  1. At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

  2. Click to copy the code.

  3. Make any additional edits.

  4. Deploy the code in your Terraform.

Refer to Integration Config Metadataarrow-up-right for more details about the schema definition.

Now that you have completed this integration, you can create access flows that grant permission to your AWS Lambda function.

PreviousManage EKS clusters through an AWS OrganizationNextEC2 via Systems Manager Agent (SSM)

Last updated

Was this helpful?