Authentication & Authorization (AWS & GCP)
Simple Explanation
What it is
Authentication proves who a caller is. Authorization decides what that caller is allowed to do. In serverless, this usually means validating a token at the edge and passing verified claims to your function.
Why we need it
APIs should not be open by default. You need a consistent way to protect data, restrict access, and prevent abuse as traffic grows.
Benefits
- Clear rules for what users and services can do.
- Auditable access so incidents are easier to investigate.
- Scales safely without manual approvals per request.
Tradeoffs
- More moving parts such as tokens, policies, and keys.
- Extra latency from verification steps.
- Secrets management becomes critical.
Real-world examples (architecture only)
- Mobile app -> API Gateway -> Lambda -> Database (user token).
- Scheduler -> Service Account -> Function -> Queue (service identity).
Core Concepts
- Authentication (AuthN): Prove identity (user, service, device).
- Authorization (AuthZ): Decide allowed actions.
- Principals: The identity doing the call (user, role, service account).
- Tokens: Short-lived credentials (JWT, ID tokens).
- Policies: Rules that grant or deny actions.
Part 1: AWS Authentication and Authorization
API Gateway + Lambda Authorizer (Custom Auth)
Use a Lambda authorizer to verify tokens and return a policy.
def verify_token(token):
# Validate signature and claims using the issuer JWKS.
# Return a dict with user info (subject, role, etc.).
return {"sub": "user123", "role": "viewer"}
def handler(event, context):
raw = event.get("authorizationToken", "")
token = raw.replace("Bearer ", "")
claims = verify_token(token)
return {
"principalId": claims["sub"],
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": event["methodArn"],
}
],
},
"context": {
"role": claims.get("role", "viewer"),
},
}
Amazon Cognito (User Management)
Use Cognito to manage sign-up/sign-in, MFA, and token issuance. API Gateway can validate Cognito JWTs directly.
IAM for Service-to-Service
Use IAM roles and policies to allow one AWS service to call another (for example, EventBridge -> Lambda).
Part 2: Google Cloud Authentication and Authorization
IAM for Service-to-Service
Require authentication on Cloud Functions or Cloud Run and allow only specific service accounts.
import requests
from google.auth.transport.requests import Request
from google.oauth2 import id_token
audience = "https://REGION-PROJECT.cloudfunctions.net/myFunction"
token = id_token.fetch_id_token(Request(), audience)
response = requests.get(
audience,
headers={"Authorization": f"Bearer {token}"},
timeout=30,
)
Identity Platform / Firebase Auth (End Users)
Verify user ID tokens in your function or API layer.
import firebase_admin
from firebase_admin import auth
firebase_admin.initialize_app()
def verify_user_token(token):
return auth.verify_id_token(token)
JWT Basics
JWTs are signed tokens that carry claims such as user ID, issuer, and expiration. Always verify signature and claims (issuer, audience, expiry).
Securing Secrets
Never hardcode secrets in code or templates. Use a secrets manager.
AWS Secrets Manager (Python)
import boto3
client = boto3.client("secretsmanager")
secret = client.get_secret_value(SecretId="prod/db-password")
password = secret["SecretString"]
GCP Secret Manager (Python)
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
name = "projects/PROJECT_ID/secrets/db-password/versions/latest"
response = client.access_secret_version(request={"name": name})
password = response.payload.data.decode("utf-8")
Authorization Patterns
Role-Based Access Control (RBAC)
PERMISSIONS = {
"admin": {"read", "write", "delete"},
"editor": {"read", "write"},
"viewer": {"read"},
}
def check_permission(role, action):
return action in PERMISSIONS.get(role, set())
Attribute-Based Access Control (ABAC)
def can_delete(user):
return user.get("department") == "admin"
Best Practices
- Prefer short-lived tokens and rotate keys
- Validate token claims on every request
- Use HTTPS only
- Follow least privilege for roles and policies
- Centralize secrets in a managed store
- Add rate limiting at the edge
Project
Build a simple API with two roles (viewer and editor).
- Protect one endpoint with an authorizer or identity token validation
- Enforce RBAC for read/write
- Store a secret in a managed secrets service
- Write a short README describing the architecture
Email your work to maarifaarchitect@gmail.com.
References
- AWS API Gateway Lambda authorizers: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
- Amazon Cognito: https://docs.aws.amazon.com/cognito/
- AWS IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
- AWS Secrets Manager: https://docs.aws.amazon.com/secretsmanager/
- Cloud Functions authentication: https://cloud.google.com/functions/docs/securing
- Cloud Run authentication: https://cloud.google.com/run/docs/authenticating
- Identity Platform: https://cloud.google.com/identity-platform
- Firebase Admin auth: https://firebase.google.com/docs/auth/admin/verify-id-tokens
- Secret Manager: https://cloud.google.com/secret-manager/docs