Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I set API Key Security Globally on API Gateway using Swagger

Tags:

amazon-web-services

aws-api-gateway

swagger

openapi

I'm trying to import an openapi/swagger file into api gateway, but I'm not able to get the security set as expected. I want to have an api key required for all paths.

Setting it api key required in the console after import works, but this solution is undesirable, what also works is setting the security field in each path individually, but I'm looking for a global solution.

When I'm trying to import the file I get the following warning:

Your API was not imported due to errors in the Swagger file.

    Method 'GET' on resource '/' specified security,
    but no custom authorizers were created and the extension
    x-amazon-apigateway-auth was not set.
    This method will be not be secured.

By the looks of this, I either need a lambda as a custom authorizer just for the api key (I'm not familiar with authorizers but this doesn't seem to make sense if I don't need one when setting api key required in the console); or I need to do something with this mysterious x-amazon-apigateway-auth which I can't find docs for (all the other openapi extensions amazon have documented here).

A miniamal example is below:

openapi: 3.0.1
info:
  title: test
  version: 0
servers:
- url: "/"
security:
  - ApiKey: []
paths:
  "/":
    get:
      # if I copy the security part into here things work 
      responses:
        '204':
          description: no content
      x-amazon-apigateway-integration:
        httpMethod: GET
        type: http
        uri: https://httpstat.us/204
components:
  securitySchemes:
    ApiKey:
      type: apiKey
      name: x-api-key
      in: header
x-amazon-apigateway-api-key-source: HEADER

since api key security is set at the root level, this suggests to me that all paths should use an api key (unless overwritten by individual paths), what actually occurs is the above warning and no api key required when imported.

like image 491
Jonathan Cowling Avatar asked Oct 16 '22 05:10

Jonathan Cowling

1 Answers

At the time of me writing this answer, according to their documentation, AWS API gateway does not support setting security at the root level.

API Gateway doesn't use root level security defined in the OpenAPI specification. Hence security needs to be defined at an operation level to be appropriately applied.

like image 52
pawelb Avatar answered Oct 19 '22 00:10

pawelb
Sign in to Comment

Related questions

Unable to change the security group of a network interface
AWS Cognito services APIs? Amplify => Javascript SDK Angular app
How to get the Aws cloudwatch logs using java
Lambda Access Denied on S3 PutObject
Signing in throws 'Incorrect username or password' error when users log in
Amazon DMS task with custom rules fails when sinking to Kinesis
How to Store Large Python Dependencies on S3 (for AWS Lambda with Serverless)
Update Existing Lambda Function Using AWS Continuous Integration/Deployment
AWS IAM Policy grant permissions for some EC2 instances
Programmatically add multiple event notifications to s3 bucket
Restrict acces to API Gateway endpoint to VPC in cloudformation
How to connect to AWS Client VPN from ubuntu box?
Can't connect to websocket using ssl and apache
How do I deploy jars to S3 with maven?
Import Error from cyptography.hazmat.bindings._constant_time import lib
How to restart containers in AWS ECS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!