before starting, a small introduction on what Amazon API gateway does.
Amazon API gateway provides a robust mechanisms to create, maintain and monitor HTTP, REST, WebSocket API's(Application Programming Interface) at any Scale.
This article is intended to explain on how to use authorization mechanisms like Lambda authorizers, Cognito Pool and IAM roles for authentication and fine-grained authorization. In addition to that, the usage of API keys for access control, including rate limiting and throttling are covered.
Lambda Authorizers for Authentication & Authorization
Lambda authorizers, formerly known as custom authorizers, control access to your API's. When a client makes a request to your API's method, API Gateway calls your lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.
The Lambda authorizer's authorization workflow is as follows:
- The client calls a method on an API Gateway API, passing a bearer token or request parameters.
- API Gateway checks if the method request is configured with a Lambda authorizer. If it is, API Gateway calls the Lambda function. The Lambda function authenticates the caller. The function can authenticate in several ways, such as by calling out to an OAuth provider to get an OAuth access token, by calling out to a SAML provider to get a SAML assertion, by generating an IAM policy based on the request parameter values, or by retrieving credentials from a database.
- The Lambda function returns an IAM policy and a principal identifier. If the Lambda function does not return that information, the call fails¹.
- API Gateway evaluates the IAM policy. If access is denied, API Gateway returns a suitable HTTP status code, such as 403 ACCESS_DENIED. If access is allowed, API Gateway invokes the method.
API Keys for Access Control
API keys are used in the REST API's to control access and can be used alongside usage plans to implement tracking and throttling. They can be directly generated within API Gateway or can be imported from external sources, if custom key needs to be enforced.
A usage plan specifies who can access one or more deployed API stages and methods and optionally sets the target request rate to start throttling requests. Multiple API keys can be associated with a usage plan.
Quota Limit : 10,000 keys/AWS Region/ Account
To use API keys alongside of Lambda Authorizer, an additional header needs to be passed, X-API-KEY is the key.
Example Scenario
An Industrial IoT sensors organization is collecting huge amounts of data from the RTUs(Real Time Unit) and storing the data in the database. Assuming there is already an application which shows the data, the clients would want to have the flow of that real time/historical data to their Analytics Systems.
For instance let say that there is no access-control mechanism like rate limiting and all the clients will be requesting for the data using the APIs. Now, you don't want the premium clients to wait for long time, as multiple reads are happening on the database table.
Instead, limit the request based on the usage plan allowing the premium customers send more number of requests/second without any delay.
Video Explanation Link - Watch this space.
Conclusion
- Use authorization mechanisms (e.g., Lambda authorizers, IAM roles) for authentication and fine-grained authorization.
- Use API keys for access control (e.g., rate limiting, throttling).
Resources
- Use API Gateway Lambda authorizers - Amazon API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html.
- Usage plans and API keys for REST APIs in API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html.
- Best Practices for API keys and Usage Plans https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html#apigateway-usage-plans-best-practices
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.