How to Set Up Authentication in AWS API Gateway
To set up authentication in
AWS API Gateway, configure an Authorizer such as a Lambda authorizer or Cognito user pool and attach it to your API methods. This ensures only authenticated requests can access your API endpoints.Syntax
Authentication in AWS API Gateway is set by defining an Authorizer and linking it to API methods. Common authorizer types include:
- Lambda Authorizer: A Lambda function that validates tokens or credentials.
- Cognito User Pool Authorizer: Uses AWS Cognito to manage user authentication.
- IAM Authorization: Uses AWS IAM roles and policies.
Example syntax for a Lambda authorizer in AWS CLI:
bash
aws apigateway create-authorizer \ --rest-api-id <api-id> \ --name <authorizer-name> \ --type TOKEN \ --authorizer-uri arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/<lambda-arn>/invocations \ --identity-source method.request.header.Authorization
Example
This example shows how to create a simple Lambda authorizer and attach it to an API Gateway method using AWS CLI commands.
bash
aws lambda create-function \ --function-name MyAuthFunction \ --runtime nodejs18.x \ --role arn:aws:iam::123456789012:role/lambda-exec-role \ --handler index.handler \ --zip-file fileb://auth-function.zip aws apigateway create-authorizer \ --rest-api-id abcdef1234 \ --name MyLambdaAuthorizer \ --type TOKEN \ --authorizer-uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MyAuthFunction/invocations \ --identity-source method.request.header.Authorization aws apigateway update-method \ --rest-api-id abcdef1234 \ --resource-id xyz123 \ --http-method GET \ --patch-operations op=replace,path=/authorizationType,value=AWS_LAMBDA aws apigateway update-method \ --rest-api-id abcdef1234 \ --resource-id xyz123 \ --http-method GET \ --patch-operations op=replace,path=/authorizerId,value=<authorizer-id>
Output
Created Lambda function MyAuthFunction
Created authorizer MyLambdaAuthorizer
Updated GET method to use AWS_LAMBDA authorization
Attached authorizer to GET method
Common Pitfalls
- Not granting API Gateway permission to invoke the Lambda authorizer causes authorization failures.
- Forgetting to deploy the API after changes means authentication updates won't apply.
- Incorrect
identity-sourceconfiguration leads to missing tokens in requests. - Using expired or invalid tokens causes 401 Unauthorized errors.
bash
Wrong way: aws apigateway create-authorizer \ --rest-api-id abcdef1234 \ --name BadAuthorizer \ --type TOKEN \ --authorizer-uri arn:aws:lambda:us-east-1:123456789012:function:MyAuthFunction \ --identity-source method.request.header.Auth Right way: aws apigateway create-authorizer \ --rest-api-id abcdef1234 \ --name GoodAuthorizer \ --type TOKEN \ --authorizer-uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MyAuthFunction/invocations \ --identity-source method.request.header.Authorization
Quick Reference
- Authorizer Types: TOKEN (Lambda), COGNITO_USER_POOLS, AWS_IAM
- Identity Source: Usually
method.request.header.Authorization - Permissions: Lambda authorizer must allow API Gateway to invoke it
- Deployment: Always deploy API after changes
Key Takeaways
Set up an authorizer (Lambda or Cognito) and attach it to API Gateway methods to enable authentication.
Ensure API Gateway has permission to invoke your Lambda authorizer function.
Configure the identity source header correctly, usually 'Authorization'.
Always deploy your API after making authentication changes.
Test with valid tokens to avoid unauthorized errors.