How to authenticate users for AWS API Gateway?

Question

I am creating a server less REST API using AWS API Gateway and AWS Lambda. While the end points have been created and linked with the corresponding Lambda functions, next step is to add authentication layer to authenticate users via email and password. From what I could understand from the documentation, API Gateway methods can support either API Key based access or IAM based access. But I could not understand how to securely implement the authentication using API keys.

Will I have to create a server for doing the authentication and managing the users ? Is there any way this can be a complete server less end to end application ? Any resources for pointing in the right direction will be highly appreciated. I am looking at this document at the moment

Answer 1

A recent announcement was API Gateway Custom Authorizers: http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html

"you can control access to your APIs using bearer token authentication strategies, such as OAuth or SAML. To do so, you provide and configure a custom authorizer, a Lambda function you own, for API Gateway to use to authorize the client requests for the configured APIs"

Another good resource which I think was written before the Custom Authorizer release: https://auth0.com/docs/integrations/aws-api-gateway/part-2

Answer 2

AWS API Gateway can be Authenticated using API Keys as well. Follow the below Steps :-

1. Set the API Key Required in the Resource method in API Gateway.
2. Create a Usage Plan and add Associated API Stages
3. Create a API Keys and associate with the Usage Plan.

After then when the API Gateway is called the API key needs to be passed as a Header.

HttpHeaders headers = new HttpHeaders();
headers.setAccept(Arrays.asList(new MediaType[]{MediaType.APPLICATION_JSON}));
headers.setContentType(MediaType.APPLICATION_JSON);
headers.set("x-api-key", apiKey);