How to use IAM authorization for API gateway in AWS ?

The API gateway offers various options for authenticating and authorizing API access. When using IAM-based authorization, clients are required to sign their requests using AWS credentials with Signature Version 4. This signature enables AWS to authenticate the sender and validate the signature using the authentication details included in the request. Requests that match the signature are processed, while those that don’t are rejected.

Using the AWS SDK usually eliminates the need to create custom code for signing requests, as the SDK automatically manages this task. However, if a programming language does not have an AWS SDK available, it becomes necessary to include the code to sign requests manually.

In this post, I will provide a step-by-step guide to configure a REST API and enable IAM authorization on all its resources. The guide includes creating a user and assigning them the necessary IAM policies, enabling access to the API using their access key ID and secret access key credentials. To invoke the API, we will be using Postman and selecting AWS Signature as the authorization type, which automatically signs the request using Signature Version 4. Finally, we will examine the Authorization header generated by Postman at the end of the post.

REST API

To create a REST API without any authorization using AWS, follow this tutorial provided by AWS. The API will use HTTP integration for a dummy PetStore website. Once the API is deployed, copy the Invoke URL as shown below and paste it into your browser or Postman to view the response.

Invoke URL

API response in Postman

The API will create various resources that can be accessed by extending the Invoke URL as needed. We will access the following resources in Postman:

/pets — This will provide a list of all the pets.

/pets/{petId} — This will provide details about specific pet id

API resources

REST API IAM Authorization

To ensure secure access to the API, we will enable IAM authorization for the GET method on both of the above resources as shown below. The same process can be followed to enable IAM authorization for the POST method.

Click on the “GET” method for /pets resource as shown below.

API Resource Methods

Click on the “Method Request” which will open the request setting screen

API Method Request

Change Authorization from “NONE” to “AWS IAM”. Click the “OK” button to save the changes.

API Gateway Authorization

Follow the same process to enable IAM Authorization for the GET method on the other resource. Once you have made the changes, remember to redeploy the API to make them effective.

IAM User & Policies

To grant API invoke permissions to a user, create an IAM user and attach the policy below. Afterwards, generate an access key for the user and download it.

IAM Permission Policy

Postman

Open Postman and create a new request by clicking the “New” button in the upper left corner. Select “GET” as the request method. In the first field of the request URL, paste the invoke URL and append “/pets” to the end of the URL to access the “/pets” resource.

Postman

Set below parameters as shown in the image above.

Authorization Type - AWS Signature
AccessKey - Use the AccessKey downloaded in IAM user & policies section
SecretKey - Use the SecretKey downloaded in IAM user & policies section
AWS Region - Set the region where API is deployed
Service Name - execute-api

AWS Signature

AWS signature which is generated by Postman can be accessed under the “Headers” section as shown below. This signature will contain the AccessKey, which is used to sign the request, as well as the Signature. It is important to note that the SecretKey will never be sent in the request from the client. Instead, it is only used to calculate the signature on the client-side.

Authorization Header

Once the request is received by AWS, it will use the AccessKey to identify the user and will calculate the signature on the server-side using the SecretKey. It will then compare this calculated signature to the signature included in the Authorization header of the request. If the two signatures match, AWS will grant the requested access to the user.

Conclusion

Implementing authorization for API Gateway in AWS is a crucial step in securing your API and protecting your data. With the help of IAM roles, policies, and permissions, you can control access to your API at a granular level and ensure that only authorized users are able to interact with it. By following the steps outlined in this article, you can easily configure IAM authorization for your API Gateway and provide your users with a secure and reliable API.