In AWS API Gateway, can I use a Usage Plan without attaching an API Key?

Question

AWS documentation on API Gateway Usage Plans all imply that they're created with/attached to API Keys, but don't state how it will behave without one. I have an unauthorized API that I would like to apply throttling to. Can I create a Usage Plan, attach it to a resource, without associating an API Key to it? Will it work?

Context: I'm trying to use CloudFormation's Java SDK to define a stack, and I'm unable to figure out how to specify resource-specific throttles programmatically. I will also accept an answer that tells me how to do this without having to use the console.

Answer 1

Can I create a Usage Plan, attach it to a resource, without associating an API Key to it? Will it work?

No, but based on your use case I think you want server-side throttling rather than per-client throttling. The docs outline the distinction:

Amazon API Gateway provides two basic types of throttling-related settings:

• Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests.

• Per-client throttling limits are applied to clients that use API keys associated with your usage policy as client identifier.

Set server-side method throttling in AWS console

You can set default rate and burst limits for all methods per stage. In the AWS console, this can be done by going to Stages > your_stage > Settings > Default Method Throttling.

Set server-side method throttling in a Cloudformation template

I'm unable to figure out how to specify resource-specific throttles programmatically.

See the below Cloudformation template snippet for creating a stage with method settings, from here:

Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: !Ref MyDocumentationVersion
      ClientCertificateId: !Ref ClientCertificate
      Variables:
        Stack: Prod
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '999'
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '555'

Answer 2

Unfortunately, usage plans do not work without an api key. From official documentation.

A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys.