Authorize AWS API Gateway with either API Key or Authorizer

Question

In AWS API Gateway,
- We can set up a resource to reqiure API Key for access.
- We can also set up another resource to require Authorization (e.g. JWT token, handled via a lambda function or AWS Cognito).

The question: can we configure a resource to be accessible in either of the above two situations? Currently, if we enable "API Key Required" and "Authorization" simultaneously, the request needs both the API Key and the Authorization. We were hoping for it to pass with only one of the two.

Hack/workaround: Create two copies of the same resource, and authorize each separately, one with API Key and the other one with an authorizer.

Answer 1

Authentication, Identification, Authorization are intertwined concepts. As I got more educated on Auth, here is my answer:

• API Keys are used for project/application identification and authorization
• JWT are used for user authentication and authorization.
• API Key is on project/application scope and JWT is on user scope. In other words, API Key only identifies the application, not the user of the application.

Accordingly, it makes sense not to authorize the same endpoint with both JWT and API Key as it would reduce the governance granularity for users and applications. But, if you have a usecase that requires that type of authorization, the suggested workaround could work.

Answer 2

Let authorizer generate/map the API key for you

You have a Lambda authorizer return the API key as part of the authorization response. For more information on the authorization response, see Output from an Amazon API Gateway Lambda authorizer.

Pros:

• Single end-point

• API key is more for usage plan than authorization. Keep it that way.

Cons:

• Authorizer will run on each request. Which cost money