1 Answer
- Newest
- Most votes
- Most comments
0
You could put the traffic to your API gateway via CloudFront, and protect API gateway with API key.
So you would have "api.example.com" -> CloudFront (Where you verify the cookie + add X-API-KEY to request -> API Gateway To add the x-api-key you can specify it in the CloudFront settings without the need to use Lambda@Edge https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html
Here the information on how to set up API Gateway with its own CloudFront distribution
answered 2 years ago
Relevant content
- asked a year ago
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
I did check it out but got the impression it is not a fit. the challenge is that I need to use a cookie that belongs to domain
abc.example.com
to authenticate againstapi.example.com
. But I cannot set that cookie when atabc.example.com
as it is another domain. I would have to use a higher domain likeexample.com
. However, then users fromabc.example.com
could accessdef.example.com
what I don't want them to be able to. I now ended up with a scenario where I have Lambda@Edge create a JWT that has the originating domain, e.g.abc.example.com
as payload and I do set that cookie under.example.com
so it will be sent along with every api call toapi.example.com
.still, looks like that approach is the only feasible solution