---
title: Configuring Amazon API Gateway for PingOne Authorize integration
description: Deploy the AWS integration kit and configure it to integrate with PingOne Authorize and Amazon API Gateway.
component: pingone
page_id: pingone:authorization_using_pingone_authorize:p1az_configuring_amazon_for_p1az_integration
canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_configuring_amazon_for_p1az_integration.html
revdate: May 12, 2026
keywords: ["Amazon Web Services;AWS;API Gateway;Lambda authorizer;integration"]
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result:
  choose-from: Choose from:
  next-steps: Next steps
  troubleshooting: Troubleshooting
---

# Configuring Amazon API Gateway for PingOne Authorize integration

Deploy the Amazon Web Services (AWS) integration kit as a request parameter-based Lambda authorizer and configure it to integrate with PingOne Authorize and Amazon API Gateway.

When an API client sends a request, Amazon API Gateway invokes the Lambda authorizer to evaluate whether access should be granted. The authorizer calls PingOne Authorize to make an access decision based on your policy configurations.

* If access is allowed, Amazon API Gateway forwards the API client request to the backend REST API.

* If access is denied, Amazon API Gateway returns an appropriate HTTP status code and a reason for denial to the API client.

## Before you begin

Ensure you have:

* A comfortable level of knowledge of the following interfaces and technologies (or access to developers as needed):

  * [AWS Management Console](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/learn-whats-new.html)

  * [Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html)

  * [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html)

* Sufficient permissions to create, edit, and publish Lambda functions and modify API endpoints.

* The AWS integration kit downloadable `.zip` archive. Download the integration kit from the [Ping Identity Marketplace](https://marketplace.pingone.com/item/external-authorization-for-amazon-api-gateway).

* An understanding of [policy limitations](p1_az_amazon_web_services_integration.html#aws_policy_limitations).

## Steps

1. Create the Lambda function:

   1. Open the AWS Lambda console.

   2. Click **Create function**.

   3. Click **Author from scratch**.

   4. In the **Function name** field, enter a name.

   5. In the **Runtime** list, select **Node.js 20.x**.

   6. In the **Architecture** section, click **x86\_64**.

      ![Screen capture of the Lambda runtime settings configured with Node.js 20.x selected as the Runtime, aws-lambda-authorizer file path entered as the handler, and x86\_64 selected as the architecture](_images/p1az-aws-lambda-basic-information.png)

   7. Click **Create function**.

      ### Result:

      A page opens for your new Lambda function.

2. Upload the integration kit `.zip` archive and configure the environment variables:

   1. In the **Code source** section, select **.zip file** in the **Upload from** list.

   2. In the **Upload a .zip file** modal, click **Upload**. Select the integration kit `.zip` archive.

   3. Click **Save**.

      The Lambda code source should appear with these files uploaded:

      ![Screen capture of the Lambda function code editor with the AWS integration kit .zip archive uploaded.](_images/p1az-api-gateway-lambda-code-source.png)

   4. Scroll down, and in the **Runtime settings** section, click **Edit**.

   5. In the **Runtime** list, select **Node.js 20.x**.

   6. In the **Handler** field, enter `aws-lambda-authorizer/src/aws-lambda-authorizer.handler`.

   7. Click **Save**.

   8. Scroll up and click the **Configuration** tab.

   9. In the left-hand navigation, click **Environment variables**, and then click **Edit**.

   10. Add the following environment variables:

       | Environment variable  | Value                                                                                                                                                                                   |
       | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
       | `IS_DEBUG_ENABLED`    | The value is `true` or `false` depending on whether debugging is required. Set this value to `false` in production environments.                                                        |
       | `SECRET_HEADER_VALUE` | The gateway credential that you saved earlier in the PingOne console.                                                                                                                   |
       | `SERVICE_URL`         | The service URL that you saved in [Setting up PingOne Authorize for Amazon Web Services integration](p1az_configuring_p1az_for_amazon_integration.html).                                |
       | `MAX_RETRIES`         | Controls the number of connection retries that the integration kit performs when a PingOne Authorize request fails because of network errors or HTTP 5xx responses. The default is `1`. |

       ![Screen capture of the 'Edit environment variables' page with the appropriate Lambda environment variables configured for connecting to PingOne Authorize.](_images/p1az-aws-api-gateway-env-vars.png)

   11. Click **Save**.

       If you have already configured your backend API in AWS, skip to step 4.

3. Configure a backend REST API:

   1. Open the AWS API Gateway console.

   2. Click **Create API**.

   3. In the **REST API** menu, click **Build**.

      |   |                                                                                |
      | - | ------------------------------------------------------------------------------ |
      |   | The AWS integration kit only supports and has only been tested with REST APIs. |

   4. In the **API name** field, enter a name. Leave the rest of the default selections.

      ![Screen capture of a sample configuration of a backend REST API to be integrated with Lambda authorizer.](_images/p1az-aws-api-gateway-rest-api-config.png)

   5. Click **Create API**.

4. Configure Lambda authorizer using the Lambda function:

   1. On the page for your backend API, click **Authorizers** in the left-hand navigation.

   2. Click **Create Authorizer**.

   3. In the **Name** field, enter a name.

      ![Screen capture of a sample configuration for a Lambda authorizer created on the basis of a Lambda function.](_images/p1az-aws-lambda-authorizer-config.png)

   4. For the **Type**, click **Lambda**.

   5. In the **Lambda Function** section, select your AWS Region and enter the name of the Lambda function that you created earlier.

   6. Leave the **Lambda Invoke Role** field blank.

      By default, the Amazon API Gateway console sets a resource-based policy that grants the API Gateway permissions to invoke Lambda authorizer.

   7. Under **Lambda Event Payload**, click **Request**.

   8. Disable the **Authorization Caching** toggle.

   9. Next to the **Identity source type** and **Key** fields, click **Remove**.

   10. Click **Create authorizer**.

       You must repeat this Lambda configuration for each REST API that you want to protect with Lambda authorizer.

5. Assign an API method to Lambda authorizer and configure the integration point:

   1. On the page for your newly created backend API, click **Resources** in the left-hand navigation.

   2. Click **Create Resource**.

   3. Enter a name and path for your resource.

   4. Click **Create Resource**.

   5. In the **Methods** section, click **Create Method**.

   6. In the **Method type** list, select an API method.

      ![Screen capture of a sample configuration for a REST API method that will call Lambda authorizer.](_images/p1az-aws-api-gateway-method-config.png)

      Resources in your API define one or more methods, such as `GET` or `POST`. Integrating these methods with Lambda authorizer means that any client API request of this method type is forwarded to the configured Lambda function.

      You can define each resource and method individually, or use special resource and method types that apply to all incoming requests of a certain form. For example, the `ANY` method applies to all incoming requests.

   7. For the **Integration type**, click **HTTP**.

   8. In the **HTTP method** list, select a method corresponding to the method that you selected in step 5f.

   9. In the **Endpoint URL** field, enter the endpoint to which the client API request is sent.

   10. Keep the other default values and click **Save**.

   11. Click the **Method Request** tab.

   12. In the **Method request settings** section, click **Edit**.

   13. In the **Authorization** list, select your lambda authorizer.

       ![Screen capture of an example method request setup](_images/p1az-aws-api-gateway-method-request-config.png)

   14. Click **Save**.

6. Deploy the API Gateway:

   1. On the page for your API, click **Resources** in the left-hand navigation.

   2. Click **Deploy API**.

   3. In the **Stage** list, do one of the following:

      ### Choose from:

      * Select an existing stage to deploy to.

      * Select **New Stage**. Enter a name and optional description for the stage.

      ![Screen capture of the Deploy API modal with options for creating a new production stage.](_images/p1az-aws-api-gateway-deployment-settings.png)

   4. Click **Deploy**.

## Next steps

Define API services to represent your APIs so that PingOne Authorize can help your API gateway enforce access control. For more information, see [Defining your API in PingOne Authorize](p1az_add_api_service.html).

## Troubleshooting

To help track and debug issues related to your REST API, you can configure Amazon CloudWatch logging. Learn more in [Set up CloudWatch logging for REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html) in the Amazon API Gateway documentation.