I am trying to secure a URL pattern (GET to /swagger-ui/open_api.yml) in API Gateway with Basic Authentication. No other URLs should require it.
To implement that, I added a Lambda authorizer which returns Allow/Deny policy for all requests containing swagger-ui in request path checking Authorization header. This secures the API definition.
But now API Gateway wants a basic authentication header for all URLs (e.g., POST to /runApi) and returns 401 Unauthorized if it's not set... Is there a way to override this behavior, so that basic authentication is only set for Swagger?
In AWS API Gateway, we can define authorizer per route i.e. HTTP Method + CPU pattern.
So, in this case you can define a lambda authorizer for Basic authentication for your specific URL pattern GET /swagger-ui/open_api.yml or ANY /swagger-ui/{proxy+}. The latter pattern catches all sub paths under /swagger-ui for any HTTP method.
For rest all URLs, if you don't require any authorization, you can apply the catch-all proxy pattern /{proxy+} with an integration defined for backend APIs. Here, you won't apply any authorizer and API gateway will pass on requests to your backend integration endpoint.