Creating API Keys and Usage Plans

Introduction

The API Resources are still open, meaning that no authorization is required. Usually, you will need to secure your API and eventually have a granular way to restrict their access.

In this lab step, you will see the most basic authorization method via API Keys, managed by AWS. Please note that API Keys are intended to track API consumers and define custom throttling and rate limiting.

In the API Gateway Console, you can create or import API Keys and associate them with your API Gateway stages. AWS also offers the concept of usage plans, which allow you to manage throttling and quotas in a more granular way. Technically, each API Key must be bound to one or more Usage Plans, which can be bound to one or more API stages. This way, you can control and monitor each API Key's usage and cluster similar keys together based on your own needs.

Instructions

1. In the API Gateway Console, under ItemsAPI, select Usage Plans in the left navigation panel and click Create:

2. In the Create Usage Plan form set the following values before clicking Next:

• Name: CloudAcademyPlan
• Description: Cloud Academy Lab Plan
• Enable throttling: Unchecked
• Enable quota: Unchecked

You will enable throttling and a quota in a later lab step.

3. In the Associated API Stages form, click Add API Stage and set the following values before clicking the checkmark icon:

• API: ItemsAPI
• Stage: dev

4. Click Add API Stage again and associate the plan to the ItemsAPI prod stage as well.

In most situations, you would create a different plan for each stage so that you can also have independent API Keys. Within the scope of this Lab, you can simply bind both stages to the same usage plan.

5. Click Next and Done to finish creating the usage plan.

You will create an API key and add it to the usage plan in the following instructions.

6. Select API Keys tab and click on Create API Key and add to Usage Plan:

7. In the API Key form, enter the following values before clicking Save:

• Name: LabKey
• API key: Auto Generate
• Description: Cloud Academy Lab Key

Once the API Key is created, it is bound to the two API Gateway stages in the usage plan.

8. In the list, click LabKey, and click Show next to API Key in the upper section of the panel to reveal the API Key (40-char alphanumeric string):

Make a note of the API Key. You will use this API Key as a custom HTTP header later on. But first, you need to update the API Gateway to require API Keys.

9. For both the /items and /items/{ID} resource GET methods, click Method Request in the diagram and set API Key Required to true:

10. Re-deploy the API to both stages (Actions > Deploy API).

You won't be able to simply GET the resources in your browser anymore. In that case, since the endpoint is not open anymore, you'd receive a {"message": "Forbidden"} response.

11. (Optional) If you have a system with the curl command available (available on mac OSX and most Linux distributions) you can send an authenticated request using the following command:

Copy code
1
curl -H "x-api-key: YOUR_API_KEY" YOUR_API_HOST/prod/items/

If everything worked fine, you should see the JSON output as follows:

Note: If you don't have the curl command available, you can use a web-based curl site to test the command. Search the web for "web based curl" to find one.

You can create up to 500 API Keys and 300 Usage Plans per account. This means you can't associate one unique API Key to each User of your application. API Keys are more suitable for server-to-server scenarios or 3rd-party customers. Alternatively, you can secure API Gateway with your own custom IAM roles or with custom Lambda Authorizers.

The limits for the Amazon API Gateway service are published by AWS in the Developer Guide. Many of the limits can be increased by contacting AWS support.

Summary

In this lab step, you created a usage plan and associated it with your API stages. You then created an associated API key with the usage plan and required API keys to access the API.