API Gateway - Exposing Backend APIs - Authentication

Question

We have purchased software running on EC2 and we need to expose several REST APIs externally. The problem is that the APIs require OAuth authentication, and API Gateway only supports client certificate. This is a major deficiency, I doubt there are many APIs, public or private, that support client certificate authentication.

How can I call the target API from API Gateway? The only thing I can think of is to use a Lambda that obtains the token and makes the API call. Is this the only alternative? I'd rather not have to create, maintain, and pay to run a Lambda.

Also I see that there are solutions for caching secrets and environment variables across Lambda invocations, but no solution for caching arbitrary data such as the bearer token. I'd rather not have to obtain a new token for every call. I've seen some suggest using a class variable, the implication being that the class will persist until the container is shut down. However this assumption isn't backed up by any AWS documentation that I can find.

Any insights or suggestions are appreciated.

Answer

You need to use Lambda, but how about using "Custom Authorizer" as shown in the following document?  
https://aws.amazon.com/jp/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/

Answer

As you indicated, API Gateway can't support what you need. You will need to implement a Lambda functions. The Lambda function will cache data between invocations if you save them in global/class variables, so you can do it once, or whenever the token expires. You could also cache the information in some external source, such as DynamoDB, so that you can share it between different Lambda instances and even between different Lambda functions (if you choose to create a different function for each of the backend APIs for instance).

API Gateway - Exposing Backend APIs - Authentication

Relevant content