Send AWS API Gateway Key Name to Server

Question

Let's say I have an AWS API Gateway. I have a resource in said gateway that requires the use of a gateway API Key. I would like my server to know which of my various keys are being used to authenticate (just for logging; there's no access control happening based on this).

How do I include the name of the gateway API Key in the request that is being sent to the server?

Answer 1

Firstly, you mentioned logging which keys are used for authentication. API GW API Keys are intended to be used with usage plans, not authentication/authorization (link).

For user authentication and authorization, don't use API keys. Use an IAM role, a Lambda authorizer, or an Amazon Cognito user pool.

I think it is because of this reason, AWS does not forward the key further to the backend. Furthermore, if you have used one of the authorizers like Lambda or Cognito, your backend will have a way to log the authenticated identity.

If you really want to log the API keys though, I think you can use a mapping template to explicitly tell API GW to forward the x-api-key header.

Answer 2

API keys attached to an API gateway have to be unique. From the docs:

API key values must be unique. If you try to create two API keys with different names and the same value, API Gateway considers them to be the same API key.

The is no such header to specify the name of the key. You can create your own custom header where you would add this information, but nothing would guarantee that the correct name is sent with a given API key. You would probably want to implement a call using the AWS SDK from your server to retrieve the name of the API key.

In case you are using a Lambda authorizer function, you can fetch the name of the API key in this function and forward it as a header to the backend server.