Describe the feature

It should be possible to use an HTTP API Gateway with cross-account Lambda Authorizers without resorting to L1 constructs or workarounds involving escape hatches.

Using a Lambda from another account as an authorizer requires a resource policy in the Lambda account and an IAM Role with invoke permissions in the API account.

The role is attached to the authorizer through the AuthorizerCredentialsArn property, which only exists on the L1 construct CfnAuthorizer. It isn't possible to set it when using the HttpLambdaAuthorizer construct.

To be able to do it now, I have to resort to hacky workarounds like:

const authorizerRole = new iam.Role(this, "AuthorizerRole", ...);
const authorizer = new HttpLambdaAuthorizer("Authorizer", ...);
const httpApi = new HttpApi("HttpApi", ...);

const cfnAuthorizer = httpApi.node.findChild("Authorizer").node.defaultChild as cdk.aws_apigatewayv2.CfnAuthorizer;
cfnAuthorizer.authorizerCredentialsArn = authorizerRole.roleArn;

Use Case

I want to be able to use a shared authorizer without resorting to L1 constructs or using hacky workarounds like httpApi.node.findChild('Authorizer').node.defaultChild.

Proposed Solution

const authorizer  = new HttpLambdaAuthorizer("Authorizer", authFunction, {
  role: authorizerRole,
  // ...
})

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.215.0

AWS CDK CLI version

2.1029.4

Environment details (OS name and version, etc.)

Irrelevant