By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Key per resource?

0

In API Gateway, is it possible to manage usage of different resources per API Key? Like a given API Key lets you use /resource1 but not /resource2?

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
Kevin
asked 2 years ago958 views
1 Answer
0

You can use a Lambda authorizer. The Lambda function will return a different policy to each API key that will specify which endpoints are allowed and which are denied.

Saying that, I am not sure this is the right approach. API keys should not be used for authorization. If you are using a Cognito authorizer, you could use scopes to protect the different endpoints.

profile pictureAWS
EXPERT
Uri
answered 2 years ago
profile picture
EXPERT
Gary Mclean
reviewed 23 days ago
  • Kevin
    2 years ago

    Oh, I always thought API keys were for authorization. What should they be used for instead?

  • Uri EXPERT
    2 years ago

    API Keys should be used for usage plans, i.e., limit the usage by different clients and throttle them if they exceed their quota.

  • Christos S
    2 years ago

    Hello coming late to the party but I have the same question. I want to limit resource per API key. As I understand from the docs (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html) I need to provide the api key of the user in the output of the lambda and in usageIdentifierKey property. My question is how am gonna find out which API key belongs to the calling user?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content