18

I am creating a server less REST API using AWS API Gateway and AWS Lambda. While the end points have been created and linked with the corresponding Lambda functions, next step is to add authentication layer to authenticate users via email and password. From what I could understand from the documentation, API Gateway methods can support either API Key based access or IAM based access. But I could not understand how to securely implement the authentication using API keys.

Will I have to create a server for doing the authentication and managing the users ? Is there any way this can be a complete server less end to end application ? Any resources for pointing in the right direction will be highly appreciated. I am looking at this document at the moment

Mandeep Singh
  • 7,674
  • 19
  • 62
  • 104

2 Answers2

16

A recent announcement was API Gateway Custom Authorizers: http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

"you can control access to your APIs using bearer token authentication strategies, such as OAuth or SAML. To do so, you provide and configure a custom authorizer, a Lambda function you own, for API Gateway to use to authorize the client requests for the configured APIs"

Another good resource which I think was written before the Custom Authorizer release: https://auth0.com/docs/integrations/aws-api-gateway/part-2

Ryan
  • 5,845
  • 32
  • 27
  • 1
    But how to replace a htaccess Basic Auth with OAuth, SAML or Lambda. These methods are very complex, difficult to understand and expensive. – Peter Nov 28 '17 at 22:26
6

AWS API Gateway can be Authenticated using API Keys as well. Follow the below Steps :-

  1. Set the API Key Required in the Resource method in API Gateway.
  2. Create a Usage Plan and add Associated API Stages
  3. Create a API Keys and associate with the Usage Plan.

After then when the API Gateway is called the API key needs to be passed as a Header.

HttpHeaders headers = new HttpHeaders();
headers.setAccept(Arrays.asList(new MediaType[]{MediaType.APPLICATION_JSON}));
headers.setContentType(MediaType.APPLICATION_JSON);
headers.set("x-api-key", apiKey);
ppasler
  • 3,579
  • 5
  • 31
  • 51
dassum
  • 4,727
  • 2
  • 25
  • 38
  • 7
    AWS documentation recommends not using this method for authorizing users. – Saar Apr 05 '17 at 13:50
  • 3
    From https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html#api-gateway-setup-api-key-with-console "For user authentication and authorization, don't use API keys. Use an IAM role, a custom authorizer, or an Amazon Cognito user pool." – Daniel Jan 29 '18 at 10:04
  • Although AWS doeasn't recommend this method it is still available. It can be used e.g. as another security layer to authenticate internal services inside VPC. – Strabek Apr 03 '18 at 10:38
  • 5
    Anyone knows *why* it's not recommended to use API keys for users? – fsinisi90 Apr 13 '18 at 20:40
  • 2
    There's a hard limit of 500 api keys for region and for account, so it cannot be considered a general purpose authentication mechanism. https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html – mturatti May 01 '18 at 12:19
  • 3
    @mturatti It's a soft limit – mewa Dec 08 '18 at 14:43
  • 1
    api keys are not recommended because their first intention was for usage plan association. Look at the response code for the request containing wrong api key - 403. If it was meant for authentication it would be 401. Moreover, api keys are not really considered secret. You can easily access them in AWS. IAM, JWT, SAML, itd are proper protocols to provide authentication. – user3647324 Jan 29 '19 at 16:41
  • I just needed something quick and easy (and temporary) for a demo. Given that the AWS documentation is super verbose and the auth mechanisms AWS recommends are all more complex than this, your answer here worked great for me! Thanks @dassum . – mountHouli Sep 15 '21 at 14:47