authentication for APIGateway using CloudFront cookies
I am working on a setup where website access to abc.example.com and def.example.com and so on is secured using CloudFront signed cookies set by Lambda@Edge.
There also is a central APIGateway-based web API under the domain api.example.com that is being called from all websites.
I am now trying to add authentication to the API so that only users having the cloudfront signed cookies can make a call on behalf of the website where call originates from.
Is there a way to do so?
- Newest
- Most votes
- Most comments
You could put the traffic to your API gateway via CloudFront, and protect API gateway with API key.
So you would have "api.example.com" -> CloudFront (Where you verify the cookie + add X-API-KEY to request -> API Gateway To add the x-api-key you can specify it in the CloudFront settings without the need to use Lambda@Edge https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html
Here the information on how to set up API Gateway with its own CloudFront distribution
Relevant content
- asked a year ago
- Accepted Answerasked 5 months ago
AWS OFFICIALUpdated a month ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
I did check it out but got the impression it is not a fit. the challenge is that I need to use a cookie that belongs to domain
abc.example.comto authenticate againstapi.example.com. But I cannot set that cookie when atabc.example.comas it is another domain. I would have to use a higher domain likeexample.com. However, then users fromabc.example.comcould accessdef.example.comwhat I don't want them to be able to. I now ended up with a scenario where I have Lambda@Edge create a JWT that has the originating domain, e.g.abc.example.comas payload and I do set that cookie under.example.comso it will be sent along with every api call toapi.example.com.still, looks like that approach is the only feasible solution