Skip to content

API Gateway & Lambda – how to use API_KEY | security

API Gateway & Lambda - API key

Hi today I wanted to show you how you can connect Lambda Function to API Gateway and how easy it can be secured. I will add the API key.

API Gateway – API key – lambda

In this article and video tutorial I will show you also 2 ways to create an API Gateway. First, a longer and a bit more difficult way and then a simple and fast one.

API Gateway & Lambda – how to use API_KEY

Lambda

I will create a simple lambda function in Python3.9 from scratch. My function will just generate random numbers.

import json
import random
from random import randrange


def lambda_handler(event, context):
    number = randrange(10)
    
    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda! Random number: %s' % number)
    }

When you create a lambda function, deploy and check if it works correctly.

1) API Gateway – method 1

Okay, now I will create API Gateway in a longer way, but I will go through the configuration step by step.

Creating an API Gateway

Find GATEWAY API select REST API, add name etc.

API Gateway - rest API
API Gateway – rest API

Create a new method, in my case GET. Select the appropriate integration type. You can also select Lambda proxy integration, thanks to which the appropriate permissions will be automatically added to run the lambda function using Api Gateway. Finally, select the appropriate region and your lambda function. Once done, you can confirm your choice and move on.

API gateway - create GET method
API gateway – create GET method

Now you can test the connection between Api Gateway and Lambda function. If everything works fine, go to the next step.

test APIGateway to lambda connection
test connection from API Gateway to lambda function

Every time you change something in ApiGateway configuration, you have to add these changes to the appropriate stage – you have to execute Deploy API.

APIgateway - Deploy API
APIgateway – Deploy API

Go to Stages and check that the URL is working properly. With this url you should be able to invoke the lambda function and get a response.

API Gateway - stages
API Gateway – stages

You can also use a command on the command line, for example:

curl -X GET https://zwl2owqucc.execute-api.eu-west-2.amazonaws.com/prod

Adding an API key to the API Gateway

Now add security, add API key to ApiGateway. First, change the API key Required setting from false to true. Once you’ve done that, do the Deploy API as before.

API Gateway - API key Required
API Gateway – API key Required

Add a new usage plan. Add a name, or you can limit the number of requests to API Gateway like I did, but it’s not necessary.

API usage plans
API usage plans

Now select your API Gateway and the appropriate stage.

API - associated API stages
API – associated API stages

After that you can select an existing API key or create a new one. Once you have the key added, you can click Done.

Now in Usage Plans you should have created a new plan, added to it the appropriate stage of your API gateway and API key. You can also find your API key in the Keys tab. You can copy its value and save it somewhere in a notepad, as it will come in handy soon.

API keys AWS
AWS – API keys

Checking if everything works

You can check your API Gateway url again. This time you won’t be able to access it if you don’t provide the correct key. All you have to do is add –header to the command with the appropriate API key value, as in the example below, and you will be able to invoke your lambda function.

curl -X GET --header "x-api-key: ADD_API_KEY_HERE" https://zwl2owqucc.execute-api.eu-west-2.amazonaws.com/prod

I only defined the GET method in this example, so I can only use it. If you did everything correctly, then you should have no problems running the Lambda function using the API Gateway.

2) API Gateway – method 2

Now a faster way to create an API Gateway. Go back to the lambda function you created at the very beginning. Just add a new trigger. Find API Gateway in the list.

add trigger to AWS lambda
add trigger to Lambda

Create a new REST API, select API key as security.

add trigger API gateway to lambda
REST API with security API key

Now everything will be created automatically. Without leaving the lambda function, you can read the URL of the new API Gateway and even the value of the API key.

API Gateway from Lambda
API Gateway from Lambda

Checking if everything works

You can use the same command as before to validate the new API Gateway. Just remember to use the new URL and new API key.

curl -X GET --header "x-api-key: ADD_API_KEY_HERE" https://zwl2owqucc.execute-api.eu-west-2.amazonaws.com/prod

After you check the correctness of operation, you can go to the API Gateway configuration page and adjust the configuration to your needs.

If you created the gateway in two ways, you can compare their configuration. As you can see, they are a bit different.

Summary

There are more ways to create an API Gateway. I love creating infrastructure as a code using terraform. However, the best way to start learning the cloud is to create resources using the portal. Once you understand how something works, you can go a step further.

You can add more elements to the API Gateway, such as a custom domain. This will allow you to access lambda functions, microservices etc with a personalized URL.

You can also add a WAF in front of the gateway and only allow traffic in specific countries, or limit queries to specific IP addresses.

AWS custom domain – WAF – API Gateway – API key – lambda – Microservices

The possibilities are huge, start with something simple and then expand your project. If you liked my article, check out other articles in the AWS category.

Tutorial – How to stop all EC2 in all AWS regions at the same time
Tutorial – Amazon EBS Volumes and gp3 – you can save up to 20%
Tags: