1 Answer
- Newest
- Most votes
- Most comments
0
You can use a Lambda authorizer. The Lambda function will return a different policy to each API key that will specify which endpoints are allowed and which are denied.
Saying that, I am not sure this is the right approach. API keys should not be used for authorization. If you are using a Cognito authorizer, you could use scopes to protect the different endpoints.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Oh, I always thought API keys were for authorization. What should they be used for instead?
API Keys should be used for usage plans, i.e., limit the usage by different clients and throttle them if they exceed their quota.
Hello coming late to the party but I have the same question. I want to limit resource per API key. As I understand from the docs (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html) I need to provide the api key of the user in the output of the lambda and in usageIdentifierKey property. My question is how am gonna find out which API key belongs to the calling user?