API Keys and API Gateway

API Keys and API Gateway

API Gateway is an Amazon product that sits in front of APIs we create (which are probably hosted in AWS Lambda).

Sometimes we want to limit who can access certain APIs. There are a variety of ways we can accomplish this. The first and most obvious is with API keys. API keys require that requests pass the given key on each request through the x-api-key header. This is what I will cover in this post.

We start by creating a new API key in the AWS Console.

AWS Console menu

Click Actions, and then click “Create API Key”.

Create API Key

Name your API Key, then click Save.

Create API Key

Then click Show to access your key. You will need this to make API calls.

Show API key

Then we could click “Add to Usage Plan”. This would add it to an already created usage plan. But since we haven’t created one yet…

Add to Usage Plan

Go back to your API and click “Usage Plans”.

AWS Console menu

We will create a new Usage Plan.

Create a new Usage Plan

For right now, we won’t worry about Throttling or Quotas. However, we could set limits by the API key.

Create a Usage Plan

Then we need to associate the API with an endpoint.

Associated API Stages

Then we need to associate an API key with a Usage Plan.

Associated key with Usage Plan

At this point, your calls still won’t require the API Key. To make the API Key required, we will first click “Resources”.

Then expand “ANY”.

Expand ANY

Then set API Key Required to “true”.

API Key Required

Our API setup should end with something like the image below.

Setup almost complete

To make API calls using this API Key, we must provide the API Key in the x-api-key header. This can easily be done in Postman on the Authentication tab.

the API Key in the x-api-key header

API Keys allow you to control access to API Gateway. You could use IAM roles as well, but that would require an internal service. API keys can allow you to gate access to your APIs even from external resources.

Related posts