Connect to API with API-Gateway

Question

I have a problem with an existing API.
We use an ALB with Cognito to achieve the product.
User->ALB(Cognito)->Ingress->Product 
Product is reachable with https://myproduct.mypage.com/ over ingress.
The API is connected to the ingress. Like https://myproduct.mypage.com/api/(*)
The ALB forwards the traffic to the productAPI with the ingress rules.
Now I would like to open the API for others with a technical user. To do this, I create an API Gateway as a Proxy. But what I don't understand is how do I get to the API without having to go through cognito?

Answer

Here's a refined approach to consider:

1. Configure an API Gateway (HTTP or REST) to act as the entry point for external API requests. This will forward requests to your internal API endpoint (`https://myproduct.mypage.com/api/(*)`).

2. **Implement Lambda Authorizer for Authentication Bypass**:
   - Use a Lambda Authorizer to inspect incoming requests to the API Gateway. 
   - The Lambda function will check for specific identifiers (e.g., API keys, custom headers) that indicate a request is from a technical user.
   - If the request contains the correct identifiers, bypass the Cognito authentication and allow the request to proceed to your API. Otherwise, enforce the standard authentication flow.

3. Ensure your ingress is configured to properly route requests from the API Gateway, including those bypassing Cognito authentication.

4. Even when bypassing Cognito, secure the alternative authentication path with robust methods like API keys or OAuth tokens. Consider additional security measures like IP whitelisting to only allow traffic from the API Gateway to the specific bypass routes.

Connect to API with API-Gateway

相關內容