I have configured a REST API Gateway which provide services via Lambda Integration. This API is secured by an AWS Lambda Authorizer, which validates if the JWT token passed as header in the request is valid or not. That means, that only registered users with valid JWT tokens can call this API. However, besides users->API, we also need to provide systems->API communication that should not depend on "system users" for calling the API.
This far I have configured all my resources in the API Gateway to use the Lambda Authorizer function as authorization method, this fulfills the users->API communication flow.
For the systems->API communication, I was thinking on allowing communication via IAM Roles. The idea is that systems could assume an AWS Role and sign the HTTP requests using AWS SigV4. This way I'd be able to use REST API Gateway Resource Policies to allow or deny systems access to the API via AWS policies (validating specific roles as principals), but this would require to bypass the lambda authorization for this use case.
The AWS documentation is not clear about the options for this mix of use cases. It seems that for the IAM Roles authorization via Resource Policies I'd need to change the API Gateway resource configurations to use AWS_IAM as auth method instead of LAMBDA. Although the docs even mention the possibility of combining API Resource Policies and Lambda Authorizer, it only looks applicable for blocking requests not coming from a specific VPC or IP Range (link).
In summary what I want to achieve is something like:
User's requests --(JWT)--> Lambda Authorizer ---|
(Identity via Oauth) |
|-> API Gateway
System's requests --(SigV4)--> Resource Policy --|
(Identity via IAM Role)
Therefore, I didn't find a way to have both authorization flows for my two separate use cases in exclusive ways, I found I can only have one for each API Gateway resource endpoint.
Does anybody know if my goal can be achieved using REST API Gateways? If not, are out there other alternatives for this problem?
Does anybody know if my goal can be achieved using REST API Gateways?
You can indeed only have one authorizer per method per resource, so it's impossible to do exactly what you're after.
What you can do is create and maintain two API Gateways with the same set of resources, methods, and integrations, but different authorizers: one for your users, another one for the systems.
Another option would be maintaining your own set of API keys (not the ones that come with the Gateway, but self-managed, like records in DynamoDB or something like that) and checking for JWT or these keys in the custom authorizer.
This will require additional work: you'll have to figure out how to create, store, distribute, check and revoke those keys, so definitely harder than just creating a role using AWS console and assuming it by your service.
A service to verify V4 signatures for certain roles is a popular ask, which would help you solve your problem had AWS provided it.