Amazon API Gateway is a managed service that makes it easy for us developers to create, publish, maintain, monitor, and secure APIs. Using API Gateway, we can create RESTful APIs that enable real-time two-way communication applications. API Gateway supports both containerized and serverless workloads, as well as web applications.
Today, I am going to give a basic overview of API Gateway and its integration with a Lambda function. Also, How to secure your API Gateway using a resource policy and an API Key.
So, lets get started …
Creating a REST API which can scale as and when needed and with complete control over the configuration has never been easier than this. We will be creating a Edge optimized REST-API handling POST requests.
First things first, lets create an IAM role for the Lambda to make use of,
- Go to the IAM console, click on Roles.
- Click on create role, select Lambda as a Trusted Entity.
- In filter policy search box, enter “AWSLambdaBasicExecutionRole” and select it, click on Next.
- Add Tags if necessary, then click Next.
- Click on “Next:Review”. Enter an appropriate name for the IAM role and then click on create role.
After creating the role, let’s create the lambda function.
- Go to the Lambda console and Click on create Function.
- Keep the option selected as Author from Scratch. Enter an appropriate name for the Lambda Function.
- Select Runtime as python3.6 or higher, and in change default execution role, choose the role you created before.
- Click on Create Function. Wait for a couple of seconds till your Lambda function is created.
Now, lets create the API Gateway,
- Go to the API Gateway console. Click on Create API.
- Click on Build next to “REST API”.
- Enter an appropriate name for the REST API, choose endpoint type as “EDGE optimized”.
- Click on Create API.
- You will be redirected to the resources tab under the root (/) of the API.
- Click on Actions, Create Resource. Enter Resource name and click on Create Resource.
- Select the created resource, click on Actions, Create Method.
- From the drop-down menu that appears, select POST method and then click on the tick symbol to create a POST method.
- For the method configuration, choose Integration type as Lambda Function, check the checkbox next to “Lambda Proxy Integration”.
- Select the region in which the Lambda is deployed and enter the Lambda Function ARN in the textbox and click on save.
- You will receive a pop-up stating that “You are about to give API Gateway permission to invoke your Lambda function”. Click on Ok. This will update the resource policy of the lambda and establish the connection between the API Gateway and the Lambda function.
- Deploy your API created by clicking on Actions and Deploy API. A small pop-up will appear asking you to select the stage for you deployment. As this is a fresh one, select “New Stage” in Deployment stage. Enter the stage name and description. Click on Deploy.
Now, your API is deployed but it is not secure, anyone from the internet can access it. To secure it, we are going to do it in 2 ways -
a. Using Resource Policy - Click on Resource Policy tab from the left navigation menu. Paste the following resource policy in there and replace the “sourceIpOrCIDRBlock” with the IP CIDR range that you want to whitelist -
After, you update the resource policy and whitelist your IP by replacing the placeholder with your IP CIDR (0.0.0.0/0), always remember to re-deploy the API by going into the Resources tab to reflect any changes that you have made.
b. Using API Key - Click on API keys tab from the left menu. Click on Actions and then create API Key. Enter API Key Name and keep the API Key option as auto-generate. Click on Save. This will create the API Key. For accessing the secret API key, click on show, next to API Key.
Return to the API you created, we will have to create an Usage Plan to make use of the key. Click on Usage Plan tab from the left menu after you navigate back into your API. Click on Create. Enter Plan name, enter the rate of requests per second (1000) and burst requests (500). Disable the checkbox next to Enable Quota and click on next. Click on Add API Stage and from the drop-down menu, select the API and the API stage you just created a while back while deploying your API. Click on the small tick next to the API and the API stage selected. Click on Next.
Click on add API Key to Usage plan, enter the name of the key in the text box and click on the tick next to the selected choice. Click on Done.
Now, that you have created the API Key and the Usage Plan, return back the API that you created, we need to enable API Key for the POST method created. Under the resource you created earlier, click on the POST method, Click on Method Request tab of the API, in the option API Key required, click on the pencil icon next to it, from the drop-down, select true and click on the tick next to it. Re-deploy the API on the same stage you created earlier to reflect the changes.
Under the stages tab, when you expand the stage you created earlier, click on the POST method to view the invoke URL. You can test your API using Postman by adding the API Key Secret to the header (x-api-key) of the request.
Thanks for reading!