I want to create a AWS api endpoint which will be publicly available over the internet in/out of VPC. After hitting the api endpoint it will go first through the authorizers and will check whether to allow or deny the request.
I selected the endpoint type = "regional", but i am unable to access the endpoint its showing forbidden error. I have added it to the usage plans also and added the required apikey. I have set the authorization to CUSTOM.I have created one authorizer that will return allow or deny.
Related
We are planning on setting up an AWS API Gateway. We also have a requirement that every call that hits our API gateway should go through a JWT token validation. We are using Okta as our IDP which will generate an access token.
We tried AWS REST API gateway which supports lambda authorizer but the problem we have with it is that lambda's are too slow and there is no way we can cache the JWKS URI and keys. We would get 1000's of requests within a second and lambda's does not work well here. Our goal is to achieve token validation within 2 digit milliseconds which is only possible if we are able to cache the JWKS public key and refetch it only when it is rotated. Please note we do not want to use the caching option of REST API to cache authorization.
We also tried AWS HTTP API which support JWT authorizer but even here we are getting only 3 digit millisecond performance like 500ms-700ms. The majority of the time is spent on fetching the OIDC metdata endpoint and fetching the public key from okta issuer endpoint.
Now, we know that the we could implement our own custom token validation (Authorizer) within one of our own REST API service (Using golang or nodejs) that will run always within an EC2 instance or fargate server within an ECS cluster or for simplicity just within an EC2 instance.
Does AWS API gateway by any chance allow some kind of custom hook where whichever endpoint on the gateway is invoked it should first invoke our custom REST API endpoint which is running in an EC2 instance and then once it gets a valid token response it should invoke the actual URL. Is this even possible? If not, what other options do we have.
Thanks
We have deployed a Chalice app to AWS, and we are receiving the following response when calling endpoints that require an API Key:
{
"message": "Forbidden"
}
Endpoints that don't require an API Key can be called without any issues.
What's strange is that we used to be able to call the endpoints that require an API Key without any issues, so we're also considering a Chalice or AWS update to have caused the issue.
We're using Postman are passing the API Key as a Header in the request:
x-api-key: Our API Key's Value.
We're also not getting any logs in CloudWatch, presumably because the endpoints aren't actually getting called due to the issue. AWS is blocking the request before it even reaches our endpoint.
Our API Key has been configured as follows:
API Key:
ID: Our key's ID.
Name: Our key's name.
API key: Our key's value.
Enabled: Enabled
Associated Usage Plan:
ID: Our plan's ID.
Name: Our plan's name.
Throttle: No throttling.
Quota: No quota.
The API Key and Usage Plans look properly configured, so we assume the issue is not with the API Key itself.
From the "Troubleshoot API Gateway 403 Forbidden errors" documentation:
If the API Key was invalid (or, we assume, incorrect), we would be getting the below message instead:
"Invalid API Key identifier specified"
However, we are getting the generic "Forbidden" error instead:
"Forbidden"
The documentation only lists three possible causes for this error:
The request is blocked by web application firewall (WAF) filtering when AWS WAF is activated in the API.
When invoking a private API from within an Amazon Virtual Private Cloud (Amazon VPC) using public DNS names, the "Host" or "x-apigw-api-id" header is missing in the request.
The caller uses the default execute-api endpoint to invoke a REST API after disabling the default endpoint.
We believe that none of the above reasons apply to us due to the following:
We don't have a WAF (nor Web ACL) configured in our API Gateway.
We're not invoking a private API from within an Amazon VPC.
We did not disable the default endpoint and are instead using the default Invoke URL.
Did we miss something, or could this be a Chalice or AWS issue?
We found the source of the issue.
Apparently, the Usage Plan that our API Key was tied to was configured for another API.
All we had to do was add our API to the Usage Plan's Associated API Stages.
How do you setup and access an AWS API Gateway without an authorizer?
I've created an API Gateway that I want to be publicly accessible. It will be used to perform it's own authorization. But when I try to access its invocation URL, it returns the error response:
{"message":"Missing Authentication Token"}
I assume this is because the GET method for my gateway has Authorization=None. However, I don't want to use either AWS's lambda or cognito authorizers.
How do I change that to not require any built-in authorizer?
I have a project that needs to make use of Lambda functions which are triggered by API Gateway with protected authorizer, i have set the resource method to require an authorization header which is the token id given in Cognito's authentication response. Basically all protected routes in the application are handled by ALB which will always check if the requested route is protected and if so then redirect to cognito's sign-in in case there is no session, after the authentication is successful, the Load Balancer will redirect the request to the application with additional headers, which are:
x-amzn-oidc-data
x-amzn-oidc-accesstoken
Both are in a manner of speaking JWT with user claims from the authentication. Normally the API Gateway endpoint protected by cognito authorizer requires a token id which is easily retreived using the implicit flow in cognito's authentication, but the ALB is using the authorization code flow which only gives a session code. Both data from x-amzn-oidc-data and token id looks the same but when i try to access the endpoint using the data from ALB i only get unauthorized.
The ideal flow goes like this:
I know i could avoid all this process by just implementing the Lambda function directly to ALB as trigger but my project is only looking for automated deployments and CloudFormation still does not support Lambda implementations for ELB.
TL:DR
The simple question is: How can i grant access in API Gateway using a token given by authorization from ALB?
I've followed the tutorial here to create an API with HTTP Proxy Integration using AWS API Gateway.
Suppose my backend server supports GET /foo, GET /bar, and GET /ooo/xxx APIs. Is it possible to modify the API Gateway so that only GET /foo, and GET /bar are exposed, and no one can access GET /ooo/xxx through AWS API gateway?
Yes, you can do it using the Resource Policy of the your API. Go to Resource Policy and on the bottom, there are example buttons to generate policy to blacklist certain IP range. Click on that and add your source IPs and ARN where necessary.