API Key Authentication with API Gateway using AWS CDK
API key authentication is a common method for securing APIs by controlling access to them. It’s important to note that API keys are great for authentication, but further development should be made to ensure proper authorization at the business level. API keys do not ensure that the correct permissions are being enforced, only that the user has access to the API.
Regardless, let’s get started! In this post, we’re going to touch on a few services:
- API Gateway with Proxy Integration
- Lambda Authorizer
- AWS CDK
Get started
Conceptually, the flow of our application will look like this:
- Client makes a request to API Gateway with API key
- The lambda authorizer determines if the API key is valid
- If the API key is valid, the policy is generated and the request is allowed to pass through to the lambda function
- If the API key is invalid, the request is denied
- The lambda function is invoked and returns a response
Set up the CDK project
Firstly, let’s create the CDK project. I will choose TypeScript as the language, but you can choose any language you prefer. Please refer to the AWS CDK hello world documentation for other supported languages.
1cdk init --language typescript
Next, let’s install the necessary dependencies:
1npm i
In addition, install the @types/aws-lambda
package:
1npm i @types/aws-lambda
Let’s start by finding the primary stack file which is located under the lib
directory. In my case, it’s lib/api-key-gateway-stack.ts
.
Edit the CDK stack
Luckily, in a few lines of code, we can spin up a full-featured API Gateway with a lambda handler using the AWS CDK.
1import { Duration, Stack, StackProps } from "aws-cdk-lib";
2import { Construct } from "constructs";
3import { Runtime } from "aws-cdk-lib/aws-lambda";
4import {
5 LambdaRestApi,
6 TokenAuthorizer,
7 AuthorizationType,
8} from "aws-cdk-lib/aws-apigateway";
9import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
10
11export class ApiKeyGatewayStack extends Stack {
12 constructor(scope: Construct, id: string, props?: StackProps) {
13 super(scope, id, props);
14 const fn = new NodejsFunction(this, "server", {
15 entry: "bin/server.ts",
16 handler: "handler",
17 runtime: Runtime.NODEJS_20_X,
18 timeout: Duration.minutes(1),
19 });
20 const auth = new NodejsFunction(this, "auth", {
21 entry: "bin/auth.ts",
22 handler: "handler",
23 runtime: Runtime.NODEJS_20_X,
24 timeout: Duration.seconds(10),
25 });
26 const api = new LambdaRestApi(this, "api", {
27 handler: fn,
28 defaultMethodOptions: {
29 authorizationType: AuthorizationType.CUSTOM,
30 authorizer: new TokenAuthorizer(this, "authorizer", {
31 handler: auth,
32 }),
33 },
34 });
35 }
36}
Let’s break down the code:
- The first construct,
NodejsFunction
, is a node lambda function that will serve as our primary handler. - The second construct, another
NodejsFunction
, is a lambda authorizer that will be used to validate the API key. - The third construct,
LambdaRestApi
, is the API Gateway that includes the first construct wired as the proxy integration and the second construct as the authorizer.
Create the lambda handler
Located at bin/server.ts
, we will create a simplistic lambda function that returns Hello, World!
.
1import { APIGatewayProxyEvent, APIGatewayProxyResult } from "aws-lambda";
2
3export const handler = async (
4 event: APIGatewayProxyEvent,
5): Promise<APIGatewayProxyResult> => {
6 return {
7 statusCode: 200,
8 body: JSON.stringify({ message: "Hello, World!" }),
9 };
10};
Create the lambda authorizer
Next, let’s create the lambda authorizer located at bin/auth.ts
. This lambda function will be responsible for validating the API key.
To keep it simple, we will hardcode the API key to Bearer abc123
.
1import { APIGatewayTokenAuthorizerEvent, Handler } from "aws-lambda";
2
3export const handler: Handler = async (
4 event: APIGatewayTokenAuthorizerEvent,
5) => {
6 const effect = event.authorizationToken == "Bearer abc123" ? "Allow" : "Deny";
7 return {
8 principalId: "abc123",
9 policyDocument: {
10 Version: "2012-10-17",
11 Statement: [
12 {
13 Action: "execute-api:Invoke",
14 Effect: effect,
15 Resource: [event.methodArn],
16 },
17 ],
18 },
19 };
20};
Deploy the stack
Now that we have our stack and lambda handlers setup, let’s deploy the stack!
1npx cdk deploy
Once the deployment is complete, you should see the API Gateway endpoint as an output.
1Do you wish to deploy these changes (y/n)? y
2ApiKeyGatewayStack: deploying... [1/1]
3ApiKeyGatewayStack: creating CloudFormation changeset...
4
5 ✅ ApiKeyGatewayStack
6
7✨ Deployment time: 45.34s
8
9Outputs:
10ApiKeyGatewayStack.apiEndpoint9349E63C = https://x2s65m7xyd.execute-api.us-east-1.amazonaws.com/prod/
11Stack ARN:
12arn:aws:cloudformation:us-east-1:123456789012:stack/ApiKeyGatewayStack/0ca225a0-3727-11ef-ae64-0affd17461c9
13✨ Total time: 117.33s
Test the API
Let’s use curl
to test the API without the API key.
1curl https://<id>.execute-api.us-east-1.amazonaws.com/prod/
Output:
1{"message":"Unauthorized"}
As expected, we received an unauthorized response. Now, let’s test the API with the API key.
1curl https://x2s65m7xyd.execute-api.us-east-1.amazonaws.com/prod/ \
2 -H "Authorization: Bearer abc123"
Output:
1{"message":"Hello, World!"}
Great! We have successfully created an API Gateway with a lambda authorizer using the AWS CDK. At this point, you may choose to extend the Lambda Authorizer to query another data source like DynamoDB that stores API keys.
Clean up
Lastly, let’s clean up our AWS resources by destroying the stack:
1npx cdk destroy
That’s it! You successfully created an API Gateway with a lambda authorizer using the AWS CDK.