Support different authentication types for a REST API

[kstro21]

So, I have used amplify api add and now have GraphQL and REST API in my project, but the auth for my REST API is using Cognito. How can I change that? I would like to use API Key authentication for my REST API and keep using Cognito for the rest. I can not find any reference in the doc and by running amplify auth add again I get the message:

Auth has already been added to this project. To update run amplify update auth.

If this is currently not supported going through some amplify-cli command or by editing some CloudFormation template, then it can be a candidate for a feature request.

[kaustavghosh06]

@kstro21 The API Gateway service doesn't have API Keys as one of their authentication methods I beleive. As a part of the CLI we support Cognito for auth/unauth access which you could probably use.

[kstro21]

@kaustavghosh06 thanks for the response. I'm currently using Cognito for auth/unauth and it works OK, but I'm trying to switch to API Keys and Usage Plans as described here https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

Here is an example that describes the process using de AWS API Gateway console https://medium.com/@zeebaig/protect-aws-api-gateway-endpoints-using-api-keys-5d8c066c5a5d

If it can be configured using the console, it can be configured using CloudFormation too, right?

[javieraldape]

+1 for this feature! It would be really nice to have different authentication methods for a REST API

[iamtekeste]

This is an awesome project and I was wondering as to why the CLI doesn't support adding API keys as auth type for REST APIs?

[hisham]

+1

[egreenmachine]

So I have found that you cannot do this via the amplify-cli. However for anyone searching for a way to do this and not have amplify blow out your api-key on every deploy I have this solution.

You need to modify the file amplify/backend/api/<your_api_name>/<your_api_name>-cloudformation-template.json.

In the section labeled "x-amazon-apigateway-any-method" you need to add the following snippet. If you have multiple resources you will need to add the section to each defined "x-amazon-apigateway-any-method" section.

 "security": [
     {
          "api_key": []
     }
],

Note if you are doing other auth methods in addition to api-key you will need to add the api_key to the security section that is already there.

"security": [
     {
         "api_key": []
     },
    {
        "sigv4": []
    }
],

Additionally, you need to add the "api_key" to the "securityDefinitions" section.

"api_key": {
    "type": "apiKey",
    "name": "x-api-key",
    "in": "header"
}

Larger Example:

"x-amazon-apigateway-any-method": {
  "consumes": [
    "application/json"
  ],
  "produces": [
    "application/json"
  ],
  "parameters": [
    {
      "in": "body",
      "name": "RequestSchema",
      "required": false,
      "schema": {
        "$ref": "#/definitions/RequestSchema"
      }
    }
  ],
  "responses": {
    "200": {
      "description": "200 response",
      "schema": {
        "$ref": "#/definitions/ResponseSchema"
      }
    }
  },
  "security": [
    {
      "api_key": []
    }
  ],

  "x-amazon-apigateway-integration": {
    "responses": {
      "default": {
        "statusCode": "200"
      }
    },
    "uri": {
        "Fn::Join": [
          "",
          [
            "arn:aws:apigateway:",
            {
              "Ref": "AWS::Region"
            },
            ":lambda:path/2015-03-31/functions/",

            {

                "Ref": "functionnumberlookupArn"
            },

            "/invocations"
          ]
        ]
      },
    "passthroughBehavior": "when_no_match",
    "httpMethod": "POST",
    "type": "aws_proxy"
  }
}

"securityDefinitions": {
  "sigv4": {
    "type": "apiKey",
    "name": "Authorization",
    "in": "header",
    "x-amazon-apigateway-authtype": "awsSigv4"
  },
  "api_key": {
    "type": "apiKey",
    "name": "x-api-key",
    "in": "header"
  }
},

I hope this helps some people.

[rafaelsorto]

@egreenmachine thanks for sharing. ^ This works!

[iOrcohen]

This solution is not working in the latest amplify version.

Since now there is only cli-inputs.json file, and the cloud formation are generating during the amplify push we can't make custom changes in the cloud-formation file.

Is there any way we can do it in amplify version after 7 ?

[j-schuma]

yea, I am wondering about the same thing as @iOrcohen. :/

[oddbytes]

Same here. Can anyone point us in the right direction? Thanks!

[ecc7220]

I need this also...

[L0y3r]

I just open aws-amplify/amplify-cli#10085, where I'm trying to override security for methods, something similar to @egreenmachine suggests

[dmost714]

I am also trying to get an API Key and Usage Plan working. And I'd like the API key to be required as the rest apis are not otherwise authenticated.

[PritamDutt]

I have been able to configure usage of API Key Auth on specific endpoints, though still exploring how to configure UsagePlans.

You can add overrides.ts by using amplify override api command

"// This file is used to override the REST API resources configuration
import {AmplifyApiRestResourceStackTemplate} from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyApiRestResourceStackTemplate) {
// 	Put /myAPI endpoint behind API_KEY
	resources.restApi.body.securityDefinitions['api_key'] = {
		"type": "apiKey",
		"name": "x-api-key",
		"in": "header",
	}
	resources.restApi.body.paths['/myAPI']['x-amazon-apigateway-any-method']['security'] = [{'api_key': []}]
}

Hope this helps