If you're using AWS API Gateway and want to secure it with IAM credentials from your AWS users, you're in the right place.
AWS offers several methods to secure REST APIs, including API keys, Lambda authorizers, and Amazon Cognito, but in this post, we'll focus on using IAM. I'll guide you step-by-step through the process of securing your API Gateway with IAM.
Let’s get started!
API Gateway
Amazon API Gateway is fully managed service by AWS that helps you create and manage APIs for your applications. It acts as a middleman, handling requests and sending them to the right backend services, like AWS Lambda or EC2.
Why IAM
By default, API Gateway APIs are available on a public URL, meaning anyone who has the link can use your API. To protect your data and services, you need to secure it. Using IAM Authorization ensures that only approved users can access your API, keeping your data safe by controlling who can send requests and use it.
Creating an API
For this article I'll be creating a sample REST API in API Gateway and will secure it using IAM.
To create an API, open API Gateway Service in AWS Console and create a new REST API and Deploy it.
In above screenshots, you can check that I have deployed a sample pet store API and invoked it using its invoke URL and its working fine.
Add IAM Authorization
Now let's add IAM authorization to our API method.
- Click on the method under the path that you want to secure and then choose Method request and click on Edit button.
- In Method request settings choose AWS IAM under Authorization dropdown and click on Save.
- Redeploy API and test your API endpoint using invoke URL.
Now your API is secure, and it will return an HTTP 403 (Authentication Error) when accessed without IAM credentials.
- Now test your API with IAM credentials using postman. In postman, Go to Authorization tab and choose AWS Signature under Auth Type dropdown and enter your access key, secret key, session token (if STS), and AWS Region. Now try to hit your API endpoint, it will give 200 response code.
Note
Your IAM user should have
execute-api:Invokepermission on the API that you want to execute.AWS Signature authentication method is a specific way to secure APIs provided by AWS. While many client-side libraries may not support it natively, you can use the AWS SDK to call the API Gateway or utilize third-party libraries such as
requests-aws4authin Python, along with similar libraries available for other programming languages.
Conclusion
In this article, We have seen how to secure our AWS API Gateway APIs using IAM credentials and learned how to call them using postman.
If you find this article helpful, do Like, and Follow @adilansari , Adil's Linkedin for more useful content related to AWS, Cloud, DevOps, Linux, and More.
Top comments (0)