Amazon API Gateway, AWS Lambda Authorizer & Secrets Manager for API Key Authentication

API Gateway REST API → AWS Lambda Authorizer → AWS Secrets Manager

Implement a secure API key-based authorization system using Amazon API Gateway, AWS Lambda Authorizer, and AWS Secrets Manager.

This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.

Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.

The Lambda authorizer checks if the API key exists in Secrets Manager. If the key is valid, the associated tenant information is retrieved and included in the authorization context.

The API Gateway then allows or denies access to the protected endpoint based on the policy returned by the authorizer.

< Back to all patterns

Language:: TypeScript
Framework:: AWS CDK

Download this pattern (.zip)

View this pattern on GitHub

Clone repo

git clone https://github.com/aws-samples/serverless-patterns/cd serverless-patterns/apigw-secretsmanager-apikey-cdk

Deploy

npm installcdk deploy

Testing

Create an API key using the provided script: ./create_api_key.sh sample-tenant

Make a request to the protected endpoint using the valid API key: curl -H "x-api-key: CREATED_API_KEY" https://REPLACE_WITH_CREATED_API_URL.amazonaws.com/prod/protected

If successful, you should receive a response: { "message": "Access granted" }

Cleanup

Delete the CDK stack: cdk destroy

Delete created SecretManager keys using the provided script: ./remove_secrets.sh

Additional resources

Lambda Authorizers for Amazon API Gateway

AWS Secrets Manager User Guide

Amazon API Gateway - REST APIs

Created by:

Marco Jahn

Senior Solutions Architect - ISV, Amazon Web Services

Follow on LinkedIn