Global outage event

If you’re experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I activate IAM authentication for API Gateway REST APIs?

3 minute read

I want to activate AWS Identity and Access Management (IAM) authentication for my Amazon API Gateway REST API.

Short description

Use the API Gateway console to turn on IAM authentication for an API Gateway method. Then, use identity-based and resource-based policies to designate your API permissions.

For more information, see Control and manage access to REST APIs in API Gateway.

Resolution

Turn on IAM authentication for your REST API

Complete the following steps:

Open the API Gateway console.
In the navigation pane, choose APIs, and then select your API.
For Resources, choose an API Gateway method that you want to activate IAM authentication for, such as GET or POST.
For Method Execution, choose Method Request.
Under Settings, for Authorization, choose Edit.
Choose AWS_IAM from the dropdown list, and then choose Update.
Repeat steps 2–4 for each API Gateway method that you want to activate IAM authentication for.
Deploy your API.
In Stage Editor, note the invoke URL so that you can test the authentication settings.

For more information, see Set up a method using the API Gateway console and Obtaining an API's invoke URL.

Grant API authorization to a group of IAM users

Complete the following steps:

Determine the permissions that you want your API users to have. For more information, see Control access to a REST API with IAM permissions.
Create an IAM policy that includes the required permissions. To test the authentication settings, you must allow invoke permissions. For examples, see the following documentation:
Control access for invoking an API
IAM policy examples for API execution permissions
Amazon API Gateway identity-based policy examples
Attach the policy to an existing IAM group. Or, attach the policy when you create a new IAM group.

Note: It's a best practice to grant access at the IAM group level.

(Optional) Configure an API Gateway resource policy

You can use API Gateway resource-based policies with IAM policies to manage access to your API. For more information, see IAM authentication and resource policy and Identity-based policies and resource-based policies.

Important: If you deny access to your API in one policy and allow access in the other policy, then access is denied. For more information, see Policy evaluation outcome tables.

Send a request to test the authentication settings

Use the Postman application to send a request to your API resource. Use the same API Gateway method that you activated IAM authentication for.

For the request URL, enter your API's invoke URL. If you activated IAM authentication on a method for a specific API resource, then add the resource name to the end of the invoke URL. For example, enter https://restApiId.execute-api.region.amazonaws.com/stageName/resourceName.

An authenticated request returns a "200 OK" response code. An unauthorized request returns the message "Missing Authentication Token" and a "403 Forbidden" response code.

Note: You can also use the Signature Version 4 signing process tool to manually authenticate requests that are sent to API Gateway.