13

In my API Gateway console, I did the following:

  • Created an API key
  • Associated the key with a deployed API stage
  • Checked the key's "Enabled" checkbox
  • For each method of each resource of my API, required the API key for authentication

I expected curl https://my-api-gateway-url/my-resource to 403, since I didn't include the x-api-key header, but it was a 200 instead. My Lambda function behind API Gateway ended up running when it shouldn't have run without the API key.

How can I ensure the key is required to authenticate all requests?

EDIT: I was following the documentation here: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html

Dillon
  • 493
  • 4
  • 11

1 Answers1

32

Just answered my own question. Posting my answer here as I know I'm not the only one wondering about this, like this person.

The answer is to redeploy your API. Although redeploying sounds obvious, the docs completely skip the vital last step, so it's easy to overlook.

Dillon
  • 493
  • 4
  • 11
  • 3
    Glad that it worked for you. Thanks for your feedback regarding the documentation. I will pass it on to our documentation team to make sure that all the necessary steps are covered. Best Jurgen, API Gateway – Jurgen Feb 10 '16 at 01:23
  • 1
    That is SOOO annoying....Spent 30 minutes trying to figure out why my API KEY validation was not working...deployed API again and fixed – NullPumpkinException Feb 26 '18 at 05:25
  • 1
    Thanks for sharing. @Jurgen: I think we need a warning, something like "Warning: Undeployed changes" – wvdz Feb 27 '18 at 20:02
  • 1
    This issue is endemic with terraform and API Gateway. You pretty much always need to redeploy the API to a stage when you change anything... and terraform doesn't automatically redeploy when there changes. There are techniques to force a redeploy but they are kind of kludgey - https://stackoverflow.com/questions/38910937/terraform-not-deploying-api-gateway-stage – Derek Evermore Sep 17 '19 at 22:11