Amazon API Gateway provides a convenient, easy-to-use service that allows developers to publish, monitor, and maintain APIs. It also provides a separation of concerns between your custom business logic and common needs such as caching, throttling, and authorization.
For a recent project, I needed to secure my APIs such that only authorized users could call them (e.g. administrator endpoints). API Gateway supports a number of approaches to controlling access to your services. I also needed to provide authentication for a pool of users and opted to leverage AWS’s powerful IAM capability to control access via Amazon Cognito. Cognito provides both user management as well as federated identity to provide secure access to AWS resources, including calling an API Gateway method.
Enough background, on to the code…
On the frontend, I used the popular axios HTTP library in addition to aws4, a library to sign requests using AWS Signature v4. While the configuration of API Gateway is beyond the scope of this post, know that we need to sign and provide an Authentication header in order for the call to be allowed by secured APIs. This is what aws4 helps to enable. Signing the requests allows the frontend to assume an AWS Role authorized to call the API.
Note: the following code snippets assume the user has already authenticated via Cognito and retrieved temporary credentials (including an access key, secret key, and session token).
First, the following code demonstrates a GET to an API secured with AWS_IAM authorization:
400: Invalid request
Next, let’s consider how the above changes for a PUT request. Note the addition to the request body as well as a content-type header.
400: Invalid request
I hope you found the above useful as you work with these great frontend packages and Amazon API Gateway.
Top comments (0)