1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
You can use a Lambda authorizer. The Lambda function will return a different policy to each API key that will specify which endpoints are allowed and which are denied.
Saying that, I am not sure this is the right approach. API keys should not be used for authorization. If you are using a Cognito authorizer, you could use scopes to protect the different endpoints.
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Oh, I always thought API keys were for authorization. What should they be used for instead?
API Keys should be used for usage plans, i.e., limit the usage by different clients and throttle them if they exceed their quota.
Hello coming late to the party but I have the same question. I want to limit resource per API key. As I understand from the docs (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html) I need to provide the api key of the user in the output of the lambda and in usageIdentifierKey property. My question is how am gonna find out which API key belongs to the calling user?