Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Understanding RESTful APIs
lock
Defining New API Gateway Resources
lock
Creating an AWS Lambda Function Backend
lock
Versioning and Aliasing the Lambda Function
lock
Configuring the API Gateway Backend
lock
Following Best Practices for Versions, Aliases, and Stages
lock
Creating API Keys and Usage Plans
lock
Enabling CORS on API Gateway Resources
lock
Enabling API Gateway Caching and Throttling
lock
Cleaning up API Resources and Lambda Functions
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

The API Resources are still open, meaning that no authorization is required. Usually, you will need to secure your API and eventually have a granular way to restrict their access.

In this Lab Step, you will see the most basic authorization method via API Keys, managed by AWS. Please note that API Keys are intended to track API consumers and define custom throttling and rate limiting.

In the API Gateway Console, you can create or import API Keys and associate them with your API Gateway stages. AWS also offers the concept of usage plans, which allow you to manage throttling and quotas in a more granular way. Technically, each API Key must be bound to one or more Usage Plans, which can be bound to one or more API stages. This way, you can control and monitor each API Key's usage and cluster similar keys together based on your own needs.

 

Instructions

1. In the API Gateway Console, select Usage Plans in the left navigation panel and click Create:

alt

 

2. In the Create Usage Plan form set the following values before clicking Next:

  • NameCloudAcademyPlan
  • DescriptionCloud Academy Lab Plan
  • Enable throttling: Unchecked
  • Enable quota: Unchecked

alt

You will enable throttling and a quota in a later Lab Step.

 

3. In the Associated API Stages form, click Add API Stage and set the following values before clicking the checkmark icon:

  • API: ItemsAPI
  • Stage: dev

 

4. Click Add API Stage again and associate the plan to the ItemsAPI prod stage as well.

In most situations, you would create a different plan for each stage so that you can also have independent API Keys. Within the scope of this Lab, you can simply bind both stages to the same usage plan.

 

5. Click Next and Done to finish creating the usage plan.

You will create an API key and add it to the usage plan in the following instructions.

 

6. Select API Keys tab and click on Create API Key and add to Usage Plan:

alt

 

7. In the API Key form, enter the following values before clicking Save:

  • Name: LabKey
  • API key: Auto Generate
  • DescriptionCloud Academy Lab Key

alt

Once the API Key is created, it is bound to the two API Gateway stages in the usage plan.

 

8. In the list, click LabKey, and click Show next to API Key in the upper section of the panel to reveal the API Key (40-char alphanumeric string):

alt

Make a note of the API Key. You will use this API Key as a custom HTTP header later on. But first, you need to update the API Gateway to require API Keys.

 

9. For both the /items and /items/{ID} resource GET methods, click Method Request in the diagram and set API Key Required to true:

alt

 

10. Re-deploy the API to both stages (Actions > Deploy API).

You won't be able to simply GET the resources in your browser anymore. In that case, since the endpoint is not open anymore, you'd receive a {"message": "Forbidden"} response.

 

11. (Optional) If you have a system with the curl command available (available on mac OSX and most Linux distributions) you can send an authenticated request using the following command:

Copy code
1
curl -H "x-api-key: YOUR_API_KEY" YOUR_API_HOST/prod/items/

If everything worked fine, you should see the JSON output as follows:

alt

Note: If you don't have the curl command available, you can use a web-based curl site to test the command. Search the web for "web based curl" to find one.

You can create up to 500 API Keys and 300 Usage Plans per account. This means you can't associate one unique API Key to each User of your application. API Keys are more suitable for server-to-server scenarios or 3rd-party customers. Alternatively, you can secure API Gateway with your own custom IAM roles or with custom Lambda Authorizers.

The limits for the Amazon API Gateway service are published by AWS in the Developer Guide. Many of the limits can be increased by contacting AWS support.

 

Summary

In this Lab Step, you created a usage plan and associated it with your API stages. You then created an associated API key with the usage plan and required API keys to access the API.

Validation checks
2Checks
Created the Usage Plan

Check that the Usage Plan has been created.

Amazon API Gateway
Created the Usage Plan Key

Check that the key has been created.

Amazon API Gateway