Lambda Authorizer Annotations Support

[GarrettBeatty]

Pull Request: Lambda Authorizer Annotations Support

Description

This PR adds declarative Lambda Authorizer support to the AWS Lambda Annotations framework. Developers can now define Lambda Authorizers and protect API endpoints entirely through C# attributes, eliminating the need for manual CloudFormation configuration. The source generator automatically creates all necessary CloudFormation resources including authorizer definitions, Lambda permissions, and route-level authorizer references.

New Attributes

[HttpApiAuthorizer] — For HTTP API (API Gateway V2)

Marks a Lambda function as an HTTP API custom authorizer. The authorizer name is automatically derived from the method name, allowing other functions to reference it via nameof() for compile-time safety.

Property	Type	Default	Description
IdentityHeader	string	"Authorization"	Header used as the identity source. Translated to $request.header.{value} in CloudFormation.
EnableSimpleResponses	bool	true	When true, use simple responses (IsAuthorized: true/false). When false, use IAM policy responses.
AuthorizerPayloadFormatVersion	AuthorizerPayloadFormatVersion	V2	Authorizer payload format version. Valid values: V1 ("1.0") or V2 ("2.0").
ResultTtlInSeconds	int	0	TTL in seconds for caching authorizer results. 0 = no caching. Max = 3600.

[RestApiAuthorizer] — For REST API (API Gateway V1)

Marks a Lambda function as a REST API custom authorizer. The authorizer name is automatically derived from the method name.

Property	Type	Default	Description
IdentityHeader	string	"Authorization"	Header used as the identity source. Translated to method.request.header.{value} in CloudFormation.
Type	RestApiAuthorizerType	Token	Type of authorizer: Token (receives just the token via request.AuthorizationToken) or Request (receives full request context).
ResultTtlInSeconds	int	0	TTL in seconds for caching authorizer results. 0 = no caching. Max = 3600.

Updated Attributes

• [HttpApi] — Added Authorizer property to reference an HTTP API authorizer by method name (use nameof() for compile-time safety)
• [RestApi] — Added Authorizer property to reference a REST API authorizer by method name (use nameof() for compile-time safety)

New Parameter Attribute

• [FromCustomAuthorizer] — Maps a method parameter to a value from the custom authorizer context. Use the Name property to specify the key. Returns HTTP 401 if the key is not found or type conversion fails.

---

Basic Usage

HTTP API Authorizer Example

// Step 1: Define the authorizer function
// The authorizer name is automatically derived from the method name ("HttpApiAuthorize")
[LambdaFunction(ResourceName = "CustomAuthorizer")]
[HttpApiAuthorizer]
public APIGatewayCustomAuthorizerV2SimpleResponse HttpApiAuthorize(
    APIGatewayCustomAuthorizerV2Request request,
    ILambdaContext context)
{
    var token = request.Headers?.GetValueOrDefault("authorization", "");

    if (IsValidToken(token))
    {
        return new APIGatewayCustomAuthorizerV2SimpleResponse
        {
            IsAuthorized = true,
            Context = new Dictionary<string, object>
            {
                { "userId", "user-123" },
                { "email", "user@example.com" }
            }
        };
    }

    return new APIGatewayCustomAuthorizerV2SimpleResponse { IsAuthorized = false };
}

// Step 2: Protect endpoints by referencing the authorizer method name via nameof()
[LambdaFunction(ResourceName = "GetUserInfo")]
[HttpApi(LambdaHttpMethod.Get, "/api/user-info", Authorizer = nameof(HttpApiAuthorize))]
public object GetUserInfo(
    [FromCustomAuthorizer(Name = "userId")] string userId,
    [FromCustomAuthorizer(Name = "email")] string email)
{
    return new { UserId = userId, Email = email };
}

REST API Authorizer Example

// Define a Token-based REST API authorizer
// With Type = Token, API Gateway extracts the IdentityHeader value
// and passes it directly in request.AuthorizationToken
[LambdaFunction(ResourceName = "RestApiAuthorizer")]
[RestApiAuthorizer(Type = RestApiAuthorizerType.Token)]
public APIGatewayCustomAuthorizerResponse RestApiAuthorize(
    APIGatewayCustomAuthorizerRequest request,
    ILambdaContext context)
{
    var token = request.AuthorizationToken; // Token extracted by API Gateway

    if (IsValidToken(token))
    {
        return new APIGatewayCustomAuthorizerResponse
        {
            PrincipalID = "user-123",
            PolicyDocument = new APIGatewayCustomAuthorizerPolicy
            {
                Version = "2012-10-17",
                Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>
                {
                    new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
                    {
                        Effect = "Allow",
                        Action = new HashSet<string> { "execute-api:Invoke" },
                        Resource = new HashSet<string> { request.MethodArn }
                    }
                }
            },
            Context = new APIGatewayCustomAuthorizerContextOutput
            {
                ["userId"] = "user-123",
                ["email"] = "user@example.com"
            }
        };
    }
    // Return deny policy for invalid tokens...
}

// Protect a REST API endpoint using nameof() for compile-time safety
[LambdaFunction(ResourceName = "RestUserInfo")]
[RestApi(LambdaHttpMethod.Get, "/api/rest-user-info", Authorizer = nameof(RestApiAuthorize))]
public object GetRestUserInfo(
    [FromCustomAuthorizer(Name = "userId")] string userId,
    [FromCustomAuthorizer(Name = "email")] string email)
{
    return new { UserId = userId, Email = email, ApiType = "REST API" };
}

Authorizer with Custom Header and Caching

// Use a custom identity header and enable caching for 5 minutes
[LambdaFunction(ResourceName = "ApiKeyAuthorizer")]
[HttpApiAuthorizer(
    IdentityHeader = "X-Api-Key",
    ResultTtlInSeconds = 300)]
public APIGatewayCustomAuthorizerV2SimpleResponse ValidateApiKey(
    APIGatewayCustomAuthorizerV2Request request,
    ILambdaContext context)
{
    var apiKey = request.Headers?.GetValueOrDefault("x-api-key", "");
    // Validate API key...
}

[LambdaFunction(ResourceName = "ApiKeyProtectedFunction")]
[HttpApi(LambdaHttpMethod.Get, "/api/external", Authorizer = nameof(ValidateApiKey))]
public object ExternalEndpoint(
    [FromCustomAuthorizer(Name = "clientId")] string clientId)
{
    return new { ClientId = clientId };
}

HTTP API Authorizer with IAM Policy Responses (Payload Format 1.0)

// Disable simple responses to use IAM policy-based authorization
[LambdaFunction(ResourceName = "CustomAuthorizerV1")]
[HttpApiAuthorizer(
    EnableSimpleResponses = false,
    AuthorizerPayloadFormatVersion = AuthorizerPayloadFormatVersion.V1)]
public APIGatewayCustomAuthorizerResponse HttpApiAuthorizeV1(
    APIGatewayCustomAuthorizerRequest request,
    ILambdaContext context)
{
    // With EnableSimpleResponses = false, return IAM policy responses
    // instead of the simpler IsAuthorized: true/false format
}

Non-String Type Extraction from Authorizer Context

// [FromCustomAuthorizer] supports automatic type conversion for non-string types
[LambdaFunction(ResourceName = "NonStringUserInfo")]
[HttpApi(LambdaHttpMethod.Get, "/api/nonstring-user-info", Authorizer = nameof(HttpApiAuthorize))]
public object GetNonStringUserInfo(
    [FromCustomAuthorizer(Name = "numericTenantId")] int tenantId,
    [FromCustomAuthorizer(Name = "isAdmin")] bool isAdmin,
    [FromCustomAuthorizer(Name = "score")] double score)
{
    return new { TenantId = tenantId, IsAdmin = isAdmin, Score = score };
}

---

Key Design Decisions

• Authorizer names are derived from the method name — No Name property on the attributes. This enables nameof() references for compile-time safety. If the authorizer method is renamed, all references update automatically.
• [FromCustomAuthorizer] returns 401 on missing keys — If an expected authorizer context key is not found or type conversion fails, the generated handler returns HTTP 401 Unauthorized rather than a 500 error.
• Multiple endpoints can share the same authorizer — Any number of [HttpApi] or [RestApi] endpoints can reference the same authorizer method.
• Endpoints without Authorizer remain public — Only endpoints that explicitly set Authorizer = nameof(...) are protected.

What Gets Generated

The source generator automatically creates all necessary CloudFormation resources:

• Lambda function resources for authorizer functions
• Auth configuration on the API Gateway resources (AnnotationsHttpApi / ServerlessRestApi) with authorizer definitions
• AWS::Lambda::Permission resources for API Gateway to invoke authorizer functions
• Proper authorizer references on protected route event configurations

[Copilot]

Pull request overview

Adds declarative Lambda Authorizer support to the Amazon.Lambda.Annotations framework by introducing new authorizer attributes and extending the source generator to emit corresponding SAM Auth configuration for protected API events.

Changes:

• Introduces [HttpApiAuthorizer] / [RestApiAuthorizer] attributes plus supporting models/builders in the source generator.
• Extends [HttpApi] / [RestApi] with an Authorizer property and updates CloudFormation template generation accordingly.
• Updates/introduces test applications and baseline templates to exercise authorizer scenarios.

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
Libraries/src/Amazon.Lambda.Annotations/APIGateway/HttpApiAuthorizerAttribute.cs	New attribute surface for HTTP API Lambda authorizers.
Libraries/src/Amazon.Lambda.Annotations/APIGateway/RestApiAuthorizerAttribute.cs	New attribute surface for REST API Lambda authorizers.
Libraries/src/Amazon.Lambda.Annotations/APIGateway/HttpApiAttribute.cs	Adds Authorizer property for protecting HTTP API routes.
Libraries/src/Amazon.Lambda.Annotations/APIGateway/RestApiAttribute.cs	Adds Authorizer property for protecting REST API routes.
Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Generator.cs	Detects authorizer attributes and adds authorizer data into the report.
Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Writers/CloudFormationWriter.cs	Writes authorizer definitions and route-level Auth config into templates; adds orphan cleanup.
Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/*	Adds authorizer models and wiring through report + lambda function model.
Libraries/test/TestServerlessApp/AuthorizerFunctions.cs	New test functions demonstrating protected/public endpoints and authorizers.
Libraries/test/TestServerlessApp/serverless.template	Updated expected baseline template for the new authorizer scenarios.
Libraries/test/TestCustomAuthorizerApp/*	Updates sample app + template to use new Authorizer property.
Libraries/test/Amazon.Lambda.Annotations.SourceGenerators.Tests/WriterTests/CloudFormationWriterTests.cs	Adjusts test model to include new Authorizer property.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 48 out of 48 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[GarrettBeatty]

2026-02-26T12:06:37.456-05:00
REPORT RequestId: 49ccb130-93d1-4020-b13f-2046990f5e67	Duration: 985.80 ms	Billed Duration: 986 ms	Memory Size: 512 MB	Max Memory Used: 28 MB	
	
REPORT RequestId: 49ccb130-93d1-4020-b13f-2046990f5e67 Duration: 985.80 ms Billed Duration: 986 ms Memory Size: 512 MB Max Memory Used: 28 MB
	
2026-02-26T12:06:37.579-05:00
2026-02-26T17:06:37.557Z		fail	Amazon.Lambda.RuntimeSupport.ExceptionHandling.LambdaValidationException: Unable to load type 'TestServerlessApp.ComplexCalculator_Add_Generated' from assembly 'TestServerlessApp'.
	
2026-02-26T17:06:37.557Z fail Amazon.Lambda.RuntimeSupport.ExceptionHandling.LambdaValidationException: Unable to load type 'TestServerlessApp.ComplexCalculator_Add_Generated' from assembly 'TestServerlessApp'.
	
2026-02-26T12:06:37.579-05:00
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeLoader.Init(Action`1 customerLoggingAction) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeLoader.cs:line 115
	
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeLoader.Init(Action`1 customerLoggingAction) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeLoader.cs:line 115
	
2026-02-26T12:06:37.579-05:00
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeInitializer.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeInitializer.cs:line 46
	
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeInitializer.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeInitializer.cs:line 46
	
2026-02-26T12:06:37.579-05:00
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 210
	
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 210
	
2026-02-26T12:06:37.742-05:00
Unhandled exception. Amazon.Lambda.RuntimeSupport.ExceptionHandling.LambdaValidationException: Unable to load type 'TestServerlessApp.ComplexCalculator_Add_Generated' from assembly 'TestServerlessApp'.
	
Unhandled exception. Amazon.Lambda.RuntimeSupport.ExceptionHandling.LambdaValidationException: Unable to load type 'TestServerlessApp.ComplexCalculator_Add_Generated' from assembly 'TestServerlessApp'.
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeLoader.Init(Action`1 customerLoggingAction) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeLoader.cs:line 115
	
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeLoader.Init(Action`1 customerLoggingAction) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeLoader.cs:line 115
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeInitializer.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeInitializer.cs:line 46
	
at Amazon.Lambda.RuntimeSupport.Bootstrap.UserCodeInitializer.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/UserCodeInitializer.cs:line 46
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 210
	
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 210
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 222
	
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.InitializeAsync() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 222
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.RunAsync(CancellationToken cancellationToken) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 156
	
at Amazon.Lambda.RuntimeSupport.LambdaBootstrap.RunAsync(CancellationToken cancellationToken) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Bootstrap/LambdaBootstrap.cs:line 156
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.RuntimeSupportInitializer.RunLambdaBootstrap() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/RuntimeSupportInitializer.cs:line 63
	
at Amazon.Lambda.RuntimeSupport.RuntimeSupportInitializer.RunLambdaBootstrap() in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/RuntimeSupportInitializer.cs:line 63
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.Program.Main(String[] args) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Program.cs:line 43
	
at Amazon.Lambda.RuntimeSupport.Program.Main(String[] args) in /src/Repo/Libraries/src/Amazon.Lambda.RuntimeSupport/Program.cs:line 43
	
2026-02-26T12:06:37.742-05:00
at Amazon.Lambda.RuntimeSupport.Program.<Main>(String[] args)

@normj have you seen this issue at all when working with the annotations libraries integration test project. without this change i was seeing this problem where sometimes the release build wouldnt include the generated files (it would sometimes but not all the time). adding this line to here seemed to fix the issue but it doesnt feel right

[GarrettBeatty]

i added these to this file manually is that correct to do?

[normj]

When a user adds an authorizer and we add an RestApi or HttpApi resource the the CF template we need to make sure all API Gateway based Lambda functions are referencing the Api resource even if they aren't using the authorizer. We should only be creating one Api endpoint.

[normj]

Nice to have would be to fix the compiler error when the HttpApiAuthorizer or RestApiAuthorizer attributes are applied by the LambdaFunction attribute is not. Right now you get a compiler error where the authorizer is referenced that the function does not exist. I recognize this is more of a general confusion of you add any of our secondary attributes but forget the main LambdaFunction attribute.

[normj]

The PayloadFormatVersion on the authorizer is problematic this is really an RestApi or HttpApi property. If we put it on the authorizer that opens the issue of the value being different across authorizers. If we want to go down this direction because we don't really model the RestApi or HttpApi then we need to be sure to have a diagnostic warning.

[normj]

To improve the user experience what do you think of the authorizer method signature supporting the FromX attributes and supporting a IAuthorizeResult as a return type like we have IHttpResults for the regular API Gateway methods. Something like assuming we can infer how to generate the policy based on the format for the authorizer on the API.

public IAuthorizeResult Get([FromHeader("Authorization"] string authorization, ILambdaContext)
{
   if (IsValid(authorization)
   {
     return AuthorizeResult.Allow();
   }
   
   return AuthorizeResult.Deny();
}

[GarrettBeatty]

When a user adds an authorizer and we add an RestApi or HttpApi resource the the CF template we need to make sure all API Gateway based Lambda functions are referencing the Api resource even if they aren't using the authorizer. We should only be creating one Api endpoint.

i have updated to fix this.

[GarrettBeatty]

Nice to have would be to fix the compiler error when the HttpApiAuthorizer or RestApiAuthorizer attributes are applied by the LambdaFunction attribute is not. Right now you get a compiler error where the authorizer is referenced that the function does not exist. I recognize this is more of a general confusion of you add any of our secondary attributes but forget the main LambdaFunction attribute.

i have added this new diagnostic too

[GarrettBeatty]

The PayloadFormatVersion on the authorizer is problematic this is really an RestApi or HttpApi property. If we put it on the authorizer that opens the issue of the value being different across authorizers. If we want to go down this direction because we don't really model the RestApi or HttpApi then we need to be sure to have a diagnostic warning.

theres actually two things.

1. AuthorizerPayloadFormatVersion (which i now renamed from PayloadFormatVersion) on the HttpApiAuthorizerAttribute
2. Version on the HttpApi attribute which is is the payload version of the http api.

so now user needs to make sure both of these versions match. I have added a diagnostic warning to also detect if there is a mismatch.

[GarrettBeatty]

To improve the user experience what do you think of the authorizer method signature supporting the FromX attributes and supporting a IAuthorizeResult as a return type like we have IHttpResults for the regular API Gateway methods. Something like assuming we can infer how to generate the policy based on the format for the authorizer on the API.

public IAuthorizeResult Get([FromHeader("Authorization"] string authorization, ILambdaContext)
{
   if (IsValid(authorization)
   {
     return AuthorizeResult.Allow();
   }
   
   return AuthorizeResult.Deny();
}

i will add this in a follow up PR after this one gets merged

[Copilot]

Pull request overview

Copilot reviewed 53 out of 53 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[GarrettBeatty]

@normj updated this to be an enum similar to Version in HttpApi

[GarrettBeatty]

will update this to be clearer and i also need to create a feature branch for this

[GarrettBeatty]

im thinking this should be error instead of warning