Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Amplify set "API key required" to True for a path in an API Gateway REST API #3112

Closed
aranbit opened this issue Jan 11, 2025 · 7 comments
Closed

AWS Amplify set "API key required" to True for a path in an API Gateway REST API #3112

aranbit opened this issue Jan 11, 2025 · 7 comments
Labels
pending-maintainer-response Issue is pending a response from the Amplify team. question Further information is requested

Comments

@aranbit
Copy link

aranbit commented Jan 11, 2025

Amplify CLI Version

12.14.0

Question

I have an Amplify app that has an API Gateway REST API.
I created some that are used for users of the application with AWS_IAM authorization which works great, but I also created paths that I would like to give access to external users with an API Key and a Usage Plan.

I have configured everything from the console (the api key and the usage plan), but the issue I encountered is how do I set the "API key required" flag to true from the cli on specific paths, because when I do it manually and then make some other changes to the api using the Amplify CLI, when deployed it overrides the manual change...

How can I set that the "API key required" flag to True for specific paths in my REST API using the Amplify CLI or in a way that it won't be overriden?
@aranbit aranbit added pending-triage question Further information is requested labels Jan 11, 2025
@AnilMaktala AnilMaktala self-assigned this Jan 14, 2025
@AnilMaktala
Copy link
Member

AnilMaktala commented Jan 14, 2025
edited
Loading

Hey @aranbit, Thank you for bringing this up. Unfortunately, API key authentication for REST APIs is not supported. You can refer to this section of the documentation for the supported authentication methods. Additionally, a similar issue was raised previously—please check this ticket for more details. aws-amplify/amplify-cli#13454

@AnilMaktala AnilMaktala added pending-community-response Issue is pending a response from the author or community. and removed pending-triage labels Jan 14, 2025
@aranbit
Copy link
Author

aranbit commented Jan 14, 2025
edited
Loading

I see the similar ticket that the implementation looks to provide the functionality I need but it is in javascript, I'm using Flutter with Amplify Gen 1, so no CDK, how can I achieve this behavior to set the "API Required Flag" to "True" for the specifc functions, same as shown in the other ticket?

Below is the relevent implementation that I'm looking to do just with Flutter and AWS Amplify Gen 1:
**Also in my case its only to override adding API Key authorization to functions without AWS_IAM autorization (so not both)

// following defines the api expects the request to have a header with api key
resources.restApi.apiKeySourceType = "HEADER";
// the following defines a security schema/definition for the api to allow api key and iam path
  resources.restApi.body.securityDefinitions = {
    ...resources.restApi.body.securityDefinitions,
    "use-api-key-in-header": {
      type: "apiKey",
      name: "x-api-key",
      in: "header",
      "x-amazon-apigateway-api-key-source": "HEADER",
    },
    AWS_IAM: {
      type: "apiKey",
      name: "authorization",
      in: "header",
      "x-amazon-apigateway-authtype": "awsSigv4",
    },
  };
// following are rules we can use to define on a api paths
  const apikeySecurityRules = [{ "use-api-key-in-header": [] }];
  const iamSecurityRules = [{ AWS_IAM: [] }];

// example on adding the api key rule to the `/items` path with `options` type method 
resources.restApi.body.paths["/items"].options.security = apikeySecurityRules;

// example on adding the api key rule to the `/items` path with `any` type method 
resources.restApi.body.paths["/items"]["x-amazon-apigateway-any-method"].security = apikeySecurityRules;

// similarly we can also add a iam auth rule to a different path
resources.restApi.body.paths["/abc"].options.security = iamSecurityRules;

@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Jan 14, 2025
@AnilMaktala
Copy link
Member

Hi @aranbit, Thank you for your response. you can try implementing the above solution by overriding the REST API using the CLI. You can refer to this section of the documentation for detailed guidance:

Overriding the API Gateway.

Let me know if this resolves your issue!

@AnilMaktala AnilMaktala added pending-community-response Issue is pending a response from the author or community. and removed pending-maintainer-response Issue is pending a response from the Amplify team. labels Jan 16, 2025
@aranbit
Copy link
Author

aranbit commented Jan 19, 2025

H,
I successfuly managed to achieve this using the override 😊

I did have one thing that I don't yet understand how to do that I could use your help:

Using AWS Amplify there is a {+proxy} path that is created with every API Gateway path, so I didn't understand how to to set the api key required for that path.

Image

The following is my code to set API key authorization for specific functions (what I'm missing is for their {+proxy} path:

// This file is used to override the REST API resources configuration
import {
  AmplifyApiRestResourceStackTemplate,
  AmplifyProjectInfo,
} from "@aws-amplify/cli-extensibility-helper";

export function override(
  resources: AmplifyApiRestResourceStackTemplate,
  amplifyProjectInfo: AmplifyProjectInfo
) {
  // following defines the api expects the request to have a header with api key
  resources.restApi.apiKeySourceType = "HEADER";
  // the following defines a security schema/definition for the api to allow api key and iam path
  resources.restApi.body.securityDefinitions = {
    ...resources.restApi.body.securityDefinitions,
    "use-api-key-in-header": {
      type: "apiKey",
      name: "x-api-key",
      in: "header",
      "x-amazon-apigateway-api-key-source": "HEADER",
    },
  };
  // following are rules we can use to define on a api paths
  const apikeySecurityRules = [{ "use-api-key-in-header": [] }];

  // adding the api key rule to the `/items` path with `options` type method
  resources.restApi.body.paths["/items"].options.security =
    apikeySecurityRules;

  // adding the api key rule to the `/items2` path with `options` type method
  resources.restApi.body.paths[
    "/items2"
  ].options.security = apikeySecurityRules;

  // adding the api key rule to the `/items` path with `any` type method
  resources.restApi.body.paths["/items"][
    "x-amazon-apigateway-any-method"
  ].security = apikeySecurityRules;

  // adding the api key rule to the `/items2` path with `any` type method
  resources.restApi.body.paths["/items2"][
    "x-amazon-apigateway-any-method"
  ].security = apikeySecurityRules;
}

@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Jan 19, 2025
@AnilMaktala
Copy link
Member

Hey @aranbit, Can you try adding the code snippet below to see if it resolves your issue?

  resources.restApi.body.paths["/{proxy+}"] = {
    options: {
      security: apikeySecurityRules
    },
    "x-amazon-apigateway-any-method": {
      security: apikeySecurityRules,
      parameters: [
        {
          name: "proxy",
          in: "path",
          required: true,
          type: "string"
        }
      ],
      "x-amazon-apigateway-integration": {
        uri: "${lambdaArn}",
        passthroughBehavior: "when_no_match",
        httpMethod: "POST",
        type: "aws_proxy"
      }
    }
  };

@AnilMaktala AnilMaktala added pending-community-response Issue is pending a response from the author or community. and removed pending-maintainer-response Issue is pending a response from the Amplify team. labels Jan 22, 2025
@aranbit
Copy link
Author

aranbit commented Jan 23, 2025

I have managed to successfully achieve it!
Thank you for your help !

Slightly simplified the code:

// adding the api key rule to the `/items/{proxy+}` path with `any` type method
  resources.restApi.body.paths["/items/{proxy+}"][
    "x-amazon-apigateway-any-method"
  ].security = apikeySecurityRules;

  // adding the api key rule to the `/items/{proxy+}` path with `options` type method
  resources.restApi.body.paths[
    "/items/{proxy+}"
  ].options.security = apikeySecurityRules;

@aranbit aranbit closed this as completed Jan 23, 2025
@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Jan 23, 2025
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@AnilMaktala AnilMaktala removed their assignment Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending-maintainer-response Issue is pending a response from the Amplify team. question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AnilMaktala @aranbit