FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Calling AWS API Gateway with SigV4 from FusionAuth Lambdas: Limitations and Recommended Architecture

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    api webhook webhooks
    1
    2
    65
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We need a FusionAuth Lambda to call a private Amazon API Gateway endpoint. The API is protected using AWS SigV4 request signing (credentials + access tokens) and also restricts access via IP allowlisting.

      In our Lambda implementation, it looks like we don’t have access to standard crypto/request libraries (for example, AWS SDK signing helpers). We’re trying to replicate the following Ruby logic:

      RestClient.get("#{ENV['FKO_API_URL']}/#{cvr}/#{fka_id}", signature.headers)

def signer
  Aws::Sigv4::Signer.new(
    service: "execute-api",
    region: "eu-central-1",
    access_key_id: ENV["FKO_API_ACCESS_KEY_ID"],
    secret_access_key: ENV["FKO_API_SECRET_ACCESS_KEY"]
  )
end

def signature
  signer.sign_request(
    http_method: "GET",
    url: "#{ENV['FKO_API_URL']}/#{cvr}/#{fka_id}",
    headers: { "Content-Type" => "application/json" }
  )
end

      Questions:

      Can FusionAuth Lambdas access crypto or request libraries (for example, AWS signing libraries) to generate SigV4 signatures?

      If not, is it possible to run FusionAuth Lambdas within the same private network as our API Gateway?

      If neither is possible, does that mean we must implement SigV4 signing ourselves (and embed credentials in the Lambda)? Any examples would help.

      Reference: https://fusionauth.io/docs/extend/code/lambdas/lambda-remote-api-calls

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        You’re correct: FusionAuth’s Lambda environment does not provide access to external libraries (including AWS SDKs or SigV4 helpers), and there is no secure secrets store available to Lambdas. That means if you need AWS SigV4 signing from inside a Lambda, you would have to implement the signing logic yourself and embed any required credentials directly in the Lambda code—this is generally not considered secure.

        Also, if you are using FusionAuth Cloud, you cannot place Lambdas into your private network (for example, the same VPC/network as your API Gateway), so that option isn’t available in hosted deployments.

        If you need this capability, the recommended approach is typically to move the signing and secret handling into a system you control (for example, a backend service that FusionAuth calls), rather than performing SigV4 signing directly in a FusionAuth Lambda.

        Related issue tracking:
        https://github.com/fusionauth/fusionauth-issues/issues/1629

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post