Using an API key in URL on Amazon API Gateway using an Authorizer

Question

I created an AWS Gateway API using proxy integration, deployed on stage using API Keys. I understand the API key needs to be passed via the header. I tested the request to my API by passing one of my test keys on the header and this works fine (request go through if API key is correct, otherwise it fails as expected/wanted).

I wanted to test supporting passing the API key in the API URL string and from AWS doc, this is supported via a custom authorizer.

I created a lambda authorizer function: export const handler = (event, context, callback) => { callback(null, { principalId: "x-api-key", usageIdentifierKey: event.queryStringParameters["x-api-key"], policyDocument: { Version: "2012-10-17", Statement: [{ Action: "execute-api:Invoke", Effect: "Allow", Resource: "arn:aws:execute-api:us-east-1:xxxxxx:yyyyy/*/*/*/*" }] } }); };

I went back to the AWS Gateway API and enabled an authorizer that will execute the above lambda and for the identity source I choose "Query String" with "x-api-key" being the parameter as the lambda authorizer is expecting.

When I try my API through curl: curl -v https://xxxxxx.execute-api.us-east-1.amazonaws.com/test/yyy/zzz/A/B/C.mvt?x-api-key="Cmk20gz3rd8Mt9PSnA6gXXXXXXXXYYYYYZZZZ"

I get a {"message":"Forbidden"}.

I looked at CloudWatch to try to debug this. I see that the authorizer lambda was executed: Using valid authorizer policy for principal: *****-key... Successfully completed authorizer execution ...

But when hitting the API keys plan verification: `Verifying Usage Plan for request: zzzzzzzzzzzz. API Key: API Stage: fyhxxxx/test"

Notice in the message above that the text in front of "API Key:" is blank.

This fails with the error that there was no API Key: API Key not authorized because method 'GET /BBBB/{proxy+}' requires API Key and API Key is not associated with a Usage Plan for API Stage xxxx/test: API Key was required but not present

It appears that some how the API Key is not propagated to the AWS Gateway API to validate against the plan ....

I must be missing some thing

Here is the API Resource setup I have in case this help shed light on this:

Thanks for any pointers how to resolve this

Answer 1

I hit the same issue, and was able to fix it.

Here's what happened, and the actions leading up to it:

1. I had a working API Gateway implementation using a Lambda authorizer.
2. I did a merge import of a "patch" OpenAPI spec.
3. After configuring everything and testing it in a test stage, I deployed my production stage.
4. All requests failed with the above error message.

Here's how I was able to fix it:

1. In the API Gateway, go to your API, then API Settings
2. The "API Key Source" was set to "Header"
3. Set the "API Key Source" to "Authorizer"

I suspect that importing the OpenAPI spec caused that setting to change from "Authorizer" to "Header." Once I changed the value back, everything started working as expected.