Amplify-cli: Support different authentication types for a REST API
So, I have used amplify api add and now have GraphQL and REST API in my project, but the auth for my REST API is using Cognito. How can I change that? I would like to use API Key authentication for my REST API and keep using Cognito for the rest. I can not find any reference in the doc and by running amplify auth add again I get the message:
Auth has already been added to this project. To update run amplify update auth.
If this is currently not supported going through some amplify-cli command or by editing some CloudFormation template, then it can be a candidate for a feature request.
kstro21
All 7 comments
@kstro21 The API Gateway service doesn't have API Keys as one of their authentication methods I beleive. As a part of the CLI we support Cognito for auth/unauth access which you could probably use.
kaustavghosh06
on 12 Mar 2019
@kaustavghosh06 thanks for the response. I'm currently using Cognito for auth/unauth and it works OK, but I'm trying to switch to API Keys and Usage Plans as described here https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
Here is an example that describes the process using de AWS API Gateway console https://medium.com/@zeebaig/protect-aws-api-gateway-endpoints-using-api-keys-5d8c066c5a5d
If it can be configured using the console, it can be configured using CloudFormation too, right?
kstro21
on 12 Mar 2019
+1 for this feature! It would be really nice to have different authentication methods for a REST API
javieraldape
on 14 Apr 2019
This is an awesome project and I was wondering as to why the CLI doesn't support adding API keys as auth type for REST APIs?
iamtekeste
on 19 Aug 2019
+1
hisham
on 18 Mar 2020
So I have found that you cannot do this via the amplify-cli. However for anyone searching for a way to do this and not have amplify blow out your api-key on every deploy I have this solution.
You need to modify the file amplify/backend/api/<your_api_name>/<your_api_name>-cloudformation-template.json.
In the section labeled "x-amazon-apigateway-any-method" you need to add the following snippet. If you have multiple resources you will need to add the section to each defined "x-amazon-apigateway-any-method" section.
"security": [
{
"api_key": []
}
],
Note if you are doing other auth methods in addition to api-key you will need to add the api_key to the security section that is already there.
"security": [
{
"api_key": []
},
{
"sigv4": []
}
],
Additionally, you need to add the "api_key" to the "securityDefinitions" section.
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
Larger Example:
"x-amazon-apigateway-any-method": {
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"parameters": [
{
"in": "body",
"name": "RequestSchema",
"required": false,
"schema": {
"$ref": "#/definitions/RequestSchema"
}
}
],
"responses": {
"200": {
"description": "200 response",
"schema": {
"$ref": "#/definitions/ResponseSchema"
}
}
},
"security": [
{
"api_key": []
}
],
"x-amazon-apigateway-integration": {
"responses": {
"default": {
"statusCode": "200"
}
},
"uri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Ref": "functionnumberlookupArn"
},
"/invocations"
]
]
},
"passthroughBehavior": "when_no_match",
"httpMethod": "POST",
"type": "aws_proxy"
}
}
```
"securityDefinitions": {
"sigv4": {
"type": "apiKey",
"name": "Authorization",
"in": "header",
"x-amazon-apigateway-authtype": "awsSigv4"
},
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
},
````
I hope this helps some people.
egreenmachine
on 29 Mar 2020
@egreenmachine thanks for sharing. ^ This works!
rafaelsorto
on 17 Jun 2020
Related issues
davo301
路
3Comments
rehos
路
3Comments
kstro21
路
3Comments
amlcodes
路
3Comments
darrentarrant
路
3Comments
Most helpful comment
+1 for this feature! It would be really nice to have different authentication methods for a REST API