Use API key pairs for users for API gateway

Question

I have a web app running with its APIs all behind AWS API Gateway. It is currently authenticated using Cognito token.

Now I want to the users to be able to set up API key pairs (id and secret) so that they will have an alternative way to authenticate and access their account programmatically, similar to this (https://support.binance.com/hc/en-us/articles/360002502072-How-to-create-API).

I am aware some solutions (non-optimal IMO, please correct me if I am wrong):

1. API keys from API gateway could be used, but according to the documentation, it's not meant for authentication.
2. We could use IAM credentials for it, but I am not sure if it's a good practice to assign IAM credentials to users (rather than internal devs).

What is the best way to achieve something like this (https://support.binance.com/hc/en-us/articles/360002502072-How-to-create-API) with API gateway?

Answer 1

I would propose implementing a request based Lambda authorizer [1]. Looking at your example, it seems you expect to enforce some customized security policies as well (i.e., IP address based check, enabling specific APIs).

• Your Cognito user pool will still be used for username/password based authentication to your web app.
• My idea is to store users' API keys and the custom security policy in a separate data storage (eg- DynamoDB).
• Then users can use these API keys when invoking the API.
• API Gateway will trigger the Lambda authorizer and the Lambda authorizer is responsible to validate the API keys in the incoming request and generate an IAM policy based on your custom security policy.

[1] See the section named "Create a Lambda Function of a Lambda Authorizer of the REQUEST type" in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html