- Newest
- Most votes
- Most comments
It would depend on the security requirements you have for internal vs external.
If the internal APIs should not be accessible to the public internet, then it would likely be best to setup different API Gateways with the internal one leveraging a private API Gateway. Instructions can be found here for setting this up.
If only the authorization mode is different and the APIs can be exposed to the public internet, then you can potentially leverage one API and create separate authorizers for external vs internal. This blog post walks through how these authorizers can be created and setup on a method level within API Gateway:
API Keys are mainly used to track who is using your API and/or creating usage plans. Docs for setting this up.
In the docs above its noted, "Don't use API keys for authentication or authorization for your APIs."
Depending on your requirement, you can leverage Cognito or a Lambda custom authorizer if you have an custom authorization scheme.
ok thanks. And I have some more questions on extension to the above.
- If API key should not be used for authentication or authorization for the APIs, can we use some 'x' along with API Key for doing authentication or authorization using any auth services for (Machine 2 Machine) ? If so, can you provide some approach ?
- Let us say, If I am planning to use JWT, how do I perform authorization and authentication on top of API Gateway for server to server (M2M) communication for external systems to access my APIs ?
- Is there any possibility of using best of both worlds ? (API key along with 'x' and JWT for authentication and authorization) Could you please share some approach for the above scenarios / best practices to achieve this for server to server authentication and authorization ?
For machine to machine authentication/authorization, you would still want to leverage Cognito. This example walks through how to setup the App Integration in Cognito with a client id/client secret.
Alright! Thanks for the answer. I have some questions. I wanted to know about the security and infrastructure challenges based on the below use case. For example, Let us assume the following use case. I have a project containing 100 APIs in 1 codebase. Out of this, I want to expose 60 APIs for internal usage that can be deployed to API Gateway AG1. These APIs are already authorized by an existing authorizer AU1. Now, for the remaining 40 APIs I want to expose them to the 3rd party developers/clients who are not logged in with our application, and that can be deployed to API Gateway AG2. Now I want these APIs to be authorized by a new authorizer AU2.
- Is it possible to configure a lambda to point to multiple authorizers just in case the same API is exposed for internal as well as external usage?
- Can this project be split into 2 codebases, one for exposing internal APIs and another one for exposing APIs to 3rd party so that we can have one authorizer for each project. ?
- a) One codebase having multiple authorizers + multiple API Gateways or b) 2 Codebases (each with a separate authorizer and API Gateway). What is the recommended approach?
- In which approach it is easy to do API versioning, 3a) or 3b)?
Relevant content
- Accepted Answerasked 3 years ago
- asked 2 months ago
- asked 3 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks for the reply. Let us assume that I go ahead with another API gateway to expose APIs for the external customers, is there any service / way in AWS which helps to create JWT Token and use it as API Key in API Gateway (rather than creating one) to send additional information for the customers ? In this case, there is no cloudfront. In API gateway there is an option to only create API key but how to generate JWT token and use it as API key ?