API Keys and API Gateway

API Gateway is an Amazon product that sits in front of APIs we create (which are probably hosted in AWS Lambda).

Sometimes we want to limit who can access certain APIs. There are a variety of ways we can accomplish this. The first and most obvious is with API keys. API keys require that requests pass the given key on each request through the x-api-key header. This is what I will cover in this post.

We start by creating a new API key in the AWS Console.

Click Actions, and then click “Create API Key”.

Name your API Key, then click Save.

Then click Show to access your key. You will need this to make API calls.

Then we could click “Add to Usage Plan”. This would add it to an already created usage plan. But since we haven’t created one yet…

Go back to your API and click “Usage Plans”.

We will create a new Usage Plan.

For right now, we won’t worry about Throttling or Quotas. However, we could set limits by the API key.

Then we need to associate the API with an endpoint.

Then we need to associate an API key with a Usage Plan.

At this point, your calls still won’t require the API Key. To make the API Key required, we will first click “Resources”.

Then expand “ANY”.

Then set API Key Required to “true”.

Our API setup should end with something like the image below.

To make API calls using this API Key, we must provide the API Key in the x-api-key header. This can easily be done in Postman on the Authentication tab.

API Keys allow you to control access to API Gateway. You could use IAM roles as well, but that would require an internal service. API keys can allow you to gate access to your APIs even from external resources.