By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[API Authorizer] Explicitly providing usage plan as response

0

We want to automatically manage API keys in our API Gateway. We also want to ensure that whenever a developer leaves the company, it will not be possible for them to access any API endpoints. Storing the key secrets as raw values inside API Gateway Keys is therefore not an option for us as the value could be copied any time.

For this reason, we are trying to implement the following mechanism: We generate a secret and stored it in our database as a hashed value. The secret value is only ever shown in it's raw form on creation. When processing requests to our API, the custom gateway authorizer extracts the secret from the HTTP headers and tries to look the hashed value up. If the key is found, an ALLOW policy document is returned. Our process is also automatically generating a usage plan and an API gateway key with the value set to the secret hash. The usage plan is automatically associated with our API stage.

All the changes are implemented but the API Gateway is still returning 403 errors for every request:

Successfully completed authorizer execution
Method completed with status: 403
API Key *********************************<non-hashed-suffix> not authorized because method 'GET /our-endpoint' requires API Key and API Key is not associated with a Usage Plan for API Stage <api-gateway-id>/<api-stage>: No Usage Plan found for key and API Stage

It seems like the API Gateway is not able to map the provided secret from the client to a usage plan which isn't surprising as we don't have any API keys with the raw secret value. The documentation reads as if the usageIdentifierKey from the authorizer response can be used to explicitly map the usage plan. At least that's what I understand from "authorizer-sourced API keys". We therefore provide it in our authorizer response:

return {
    ...
    policyDocument: { ... },
    usageIdentifierKey: '<api gateway key value of automatically generated resource>'
}

Yet this changes nothing. The API Gateway still tries to find the gateway key using the raw secret value. The authorizer processes TOKEN requests that extract the x-api-key header. The API Gateway is configured with apiKeySource=AUTHORIZER.

We also tried returning the API gateway key id instead of the key value. Same issue.

Questions

  • Is it even possible to implement our scenario using the API Gateway features?
  • What is the usageIdentifierKey good for if it doesn't allow you to provide the usage plan explicitly?
Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
laurin
asked 5 months ago226 views
1 Answer
0
Accepted Answer

Redeploying the API fixed the issue.

laurin
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content