I am working on an API project and it is going to be exposed to members of our system. We need to secure our API using API key. When the API is invoked, we need to know which member is invoking the API. So we need to map the key with the member some how. I am wondering what is the best way to manage the keys. Following are the options we are aware of
For each member, keep the API keys in our backend system and manage the key in our backend and once key is changed, manually update it in API gateway
Whenever key is changed in backend system, invoke the AWS API gateway rest service to update the key in API gateway
Any other options( not looking or OAuth2 like complex key management solutions)
Api Gateway API Keys are not used for authentication but identification. Read the last pargraph here. Judging from your question that you need to know which member invokes the API Gateway etc. means that you most likely need to implement an authentication system and the best candidate here is AWS Cognito. Use the right tool for the job and don't try to reinvent the wheel.