authentication for APIGateway using CloudFront cookies
I am working on a setup where website access to abc.example.com and def.example.com and so on is secured using CloudFront signed cookies set by Lambda@Edge.
There also is a central APIGateway-based web API under the domain api.example.com that is being called from all websites.
I am now trying to add authentication to the API so that only users having the cloudfront signed cookies can make a call on behalf of the website where call originates from.
Is there a way to do so?
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
You could put the traffic to your API gateway via CloudFront, and protect API gateway with API key.
So you would have "api.example.com" -> CloudFront (Where you verify the cookie + add X-API-KEY to request -> API Gateway To add the x-api-key you can specify it in the CloudFront settings without the need to use Lambda@Edge https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html
Here the information on how to set up API Gateway with its own CloudFront distribution
Relevanter Inhalt
AWS OFFICIALAktualisiert vor einem Jahr- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
I did check it out but got the impression it is not a fit. the challenge is that I need to use a cookie that belongs to domain
abc.example.comto authenticate againstapi.example.com. But I cannot set that cookie when atabc.example.comas it is another domain. I would have to use a higher domain likeexample.com. However, then users fromabc.example.comcould accessdef.example.comwhat I don't want them to be able to. I now ended up with a scenario where I have Lambda@Edge create a JWT that has the originating domain, e.g.abc.example.comas payload and I do set that cookie under.example.comso it will be sent along with every api call toapi.example.com.still, looks like that approach is the only feasible solution