0

I have an issue with API Gateway (REST API) which use authorizer Lambda and usage plan at the same time. The issue what I'm facing is there are two methods, lets call "A" and "B".
"A" method is using API key for protection, so you need to pass the API key in your request and if its correct you authorized to perform an operation, if not you get a "forbidden" message.
"B" method is using an authorizer Lambda for authorization and don't use API key. The problem is the following: when the authorizer Lambda denies the access for the API with the policy, the API continues the execution because its find the Usage plan and because "B" method don't use API key, it starts the execution. When I'm not passing token in the request I get the "Unauthorized" message but if the request contains for example a wrong token, the execution starts even though the authorizer Lambda denies the execution. Is there any way to resolve that conflict to keep the "A" method with API key and "B" method with custom authorization?
CloudWatch logs after an execution with a wrong token

ks_bnc
  • 1
  • 1
  • Are "A" and "B" different methods as in `GET` and `POST`? Or, are they different endpoints? Or, different Lambdas? – Noel Llevares May 19 '22 at 00:00
  • These are different resources in the API with different Lambdas as backend. Both of them use **POST** method for example. Just one of them have a custom authorizer, the other use API key. But the usage plan basically applied to the whole stage and this way to the resource/endpoint where the custom authorizer used. And because in this stage the "*api_key_required*" set to *false*, the usage plan give green light for the request even though the authorizer denied. – ks_bnc May 19 '22 at 06:21

0 Answers0