Client API throttling in API Gateway

Question

Hi all,

Customer  is looking to implement API throttling to their APIs exposed via API Gateway. It is supported by API Gateway using API Keys but the customer has not implemented API keys for each of their customers and is looking for other options leveraging information in the API request/header. Each of the requests currently includes a customer ID that they would like to use.

Accepted Answer

What you are describing is a perfect use case for API keys + usage plans. But it seems your customer does not want their end users to make any changes. Have you looked into this [blog post][1]? It has an example of how CloudFront can inject the API key for the end users. Not sure how your customer is currently doing auth but another option might be to [inject the API key in the Lambda custom authorizer][2].

> A Lambda authorizer function's output is a dictionary-like object,
> which must include the principal identifier (principalId) and a policy
> document (policyDocument) containing a list of policy statements. The
> output can also include a context map containing key-value pairs. If
> the API uses a usage plan (the apiKeySource is set to AUTHORIZER), the
> Lambda authorizer function must return one of the usage plan's API
> keys as the usageIdentifierKey property value.

[1]: https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-2/
  [2]: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

Client API throttling in API Gateway

관련 콘텐츠