A Little More API Keys and API Gateway

A Little More API Keys and API Gateway

In my previous blog post, we dove into API Keys and AWS’s API Gateway. What we covered was pretty straightforward: we globally applied an API key and usage plan to an API.

But we don’t have to do that. We can apply an API Key to an individual resource, not all the resources.

Why would we want to do this? Well, we might want to change how we lock down particular endpoints. For example, one endpoint needs to be more secure and only accessed with a given API Key.

In the image below, we have an API Key applied to all the resources for our API.

API Key applied to all the resources for our API

We can create the individual resources and methods associated with those resources. Then we can enable API Key Required only on that route. See the image below where we create a “/api/math” resource. Note that we enabled API Key Required for that specific route.

Where we create a “/api/math” resource

We can require API Keys at individual endpoints, which allows us to change the throttling and quotas for specific API keys. Think of an admin resource in our API. We could require an API key for the admin resources to lock down those calls further. However, locking down by caller is probably not an ideal strategy. AWS has an even easier option where you can lock down an API resource with an IAM user or role.

Just change Authorization to “AWS IAM”, which will require anything calling a resource on our API Gateway to be an IAM user.

Changing Authorization to “AWS IAM”

AWS’s API Gateway is robust and straightforward to work with. Give it a try on your next AWS Lambda project.