How to control access to AWS API Gateway Endpoint

Question

I have several API Gateway "methods" (endpoints) that I want to make available ONLY to users that have specific IAM roles (policies). I have tried just about everything I can think of to do this.

Basically... all I want is to find a way to pass an access token into API Gateway (via a header) and figure out what role that access token belongs to, then let API Gateway do the work of authorizing based on the Policy attached to that role. Am I way off base?

Answer 1

You need to set the Authorization to AWS_IAM in Method Request > Authorization Settings and pass the Authorization HTTP request header when calling your API methods.

The Authorization header requires that you calculate the digital signature for your signed request.

Signing your requests

This reference will walk you through the steps required to calculate the digital signature for your signed requests.

If you just want to test your API using Postman, this can be done by choosing the Authorization tab and selecting AWS Signature for the authorization Type. Enter your AWS IAM user's access key ID in the AccessKey input field and your IAM user secret key in SecretKey, specify an appropriate AWS Region that matches the region specified in the invocation URL. Enter execute-api in Service Name.

This should construct a header similar to the following:

POST /prod/yourapi HTTP/1.1
Host: XXXXXXXXXX.execute-api.us-east-1.amazonaws.com
Content-Type: application/json
X-Amz-Date: 20170302T080546Z
Authorization: AWS4-HMAC-SHA256 Credential=YOURACCESSKEY/20170302/us-east-1/execute-api/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=000000000000000000000000000000000000000000000000000000
Cache-Control: no-cache