Using an API key in Amazon API Gateway

F

12

126

I have created an API Key and added it to my functions. I have then deployed the api and tested it but still get:

"message": "Forbidden"

How do I pass the api key with my JSON request as I have been using "x-api-key": "theKey"?

Flyfish answered 21/8, 2016 at 5:17 Comment(1)

this post explained it for me! – Recountal 26/2, 2017 at 4:48

C

152

The x-api-key parameter is passed as a HTTP header parameter (i.e. it is not added to the JSON body). How you pass HTTP headers depend on the HTTP client you use.

For example, if you use curl and assuming that you POST the JSON payload, a request would look something like (where you replace [api-id] with the actual id and [region] with the AWS region of your API):

$ curl -X POST -H "x-api-key: theKey" -H "Content-Type: application/json" -d '{"key":"val"}' https://[api-id].execute-api.[region].amazonaws.com

Clara answered 21/8, 2016 at 20:13 Comment(3)

Yes I use NSMutableURLRequest *request in ios sdk which then you can add the key too and it worked – Flyfish 22/8, 2016 at 1:57

Is there a way to use our own custom header name instead of "x-api-key" header name? – Elbaelbart 26/5, 2021 at 6:34

Still relevant in 2021 - you would think the AWS docs would be a bit more specific on how (for example in Postman) you can provide your API key to test this functionality – Emlen 7/9, 2021 at 10:39

S

129

I had to add an API Usage plan, and then link the plan to the API stage.

Seems like this is the only way to link the key to the API, not sure if this is a recent change on AWS.

Sitdown answered 7/9, 2016 at 8:40 Comment(7)

I just ran into the same issue. Took me half an hour to figure out what's going on. This lousy error message: {"message":"Forbidden"} wasn't helpful at all. Thanks AWS!! – Tenatenable 9/11, 2017 at 1:11

Classic AWS. Just miss out a vital part of the documentation and don't tell you what the problem is in the error message or how to fix it. Thanks, this solved it for me. – Calderon 15/2, 2018 at 10:53

This helped me. – Pourpoint 22/6, 2018 at 15:58

don't forget to deploy again! – Formalism 8/12, 2019 at 19:45

The way I found the solution was to activate logging. That needs a Role for apigateway with the permission AmazonAPIGatewayPushToCloudWatchLogs. In the logging, the message is actually very clear: "API Key ***** not authorized because method 'POST /predict' requires API Key and API Key is not associated with a Usage Plan for API Stage x______y/stg: No Usage Plan found for key and API Stage" – Trapes 22/1, 2020 at 16:30

Is there a way to use our own custom header name instead of "x-api-key" header name? – Elbaelbart 26/5, 2021 at 6:35

so circumvoluted – Recalesce 12/5, 2022 at 19:58

Q

49

If you set 'API Key Required' option to true, please check below.

you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.
The API Key had to be created.
In addition, you need to check a Usage Plan for the API Key on API Gateway Console.

Quezada answered 21/4, 2017 at 4:13 Comment(2)

Thanks. I think aws documentation is far from clear to mention this. – Talkie 3/1, 2018 at 16:55

It didn't work for me until I created a Usage Plan. This should not be necessary I guess. Thanks! – Counterbalance 20/2, 2019 at 20:44

S

44

If you set 'API' key required to true, you need to pass the api key as header.

API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points

Do you have a Usage Plan? if not need to create one.
Link you API with Usage Plan. For that add a stage, it will link your API
Do you have API Key? if not you need to create an API Key and enable it.
Add the Usage Plan which is linked with your API to this API Key. For that, add Usage Plan.

Santa answered 29/6, 2018 at 11:4 Comment(2)

Great notes. Thanks. – Demonology 30/8, 2020 at 13:41

Will it not work if I don't set a stage for apiKey usage plan? – Dorindadorine 6/6, 2022 at 8:33

C

25

I hope you are not missing to link the API key with the API

Conners answered 21/8, 2016 at 11:23 Comment(0)

B

17

I was able to get a successful response from Lambda using below configuration in Postman native app -

Under authorization tab (For some reason this didn't work when i passed the same parameters under header)

Key : x-api-key

Value : your-api-key-value

Add to : Header

Barmen answered 17/6, 2019 at 15:31 Comment(0)

D

8

I don't have enough reputation to set this as a comment, But I was finally able to find the document specifying that 'x-api-key' belongs in the header for API Gateway calls that come from outside clients (like postman, swagger, etc.) in the AWS Documentation.

The relevant part:

To use header-sourced API keys:

Create an API with desired API methods. And deploy the API to a stage.

Create a new usage plan or choose an existing one. Add the deployed API stage to the usage plan. Attach an API key to the usage plan or choose an existing API key in the plan. Note the chosen API key value.

Set up API methods to require an API key.

Redeploy the API to the same stage. If you deploy the API to a new stage, make sure to update the usage plan to attach the new API stage.

The client can now call the API methods while supplying the x-api-key header with the chosen API key as the header value.

Choose an API key source

Desiccated answered 15/9, 2021 at 20:17 Comment(1)

I was looking exactly for the key name, thanks – Pastille 16/3, 2022 at 22:14

S

6

For Private API Gateways accessed through public DNS, we need to pass additional header of 'x-apigw-api-id' with the api id along with 'x-api-key' if configured.

curl -v https://{vpce-id}.execute-api.{region}.vpce.amazonaws.com/test -H 'x-apigw-api-id:{api-id}'

Its documented below,

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w20aac13c16c28c11

Shack answered 30/5, 2019 at 16:31 Comment(1)

My issue was that I had included this x-apigw-api-id header for a public API Gateway by mistake. Removing it worked for me. – Barncard 18/2, 2021 at 14:1

B

3

Here a good resource explaining different reasons why we could be getting a Forbidden. The two most important are the request URL and the x-api-key header:

https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/{resource_name}

Missing stage name will give you 403 for ex. Maybe for security reasons the response is not revealing an issue with the stage name, and thus you get a generic Forbidden.

Bonnice answered 1/5, 2022 at 17:48 Comment(0)

S

2

I faced the same problem today. I had already mapped the API key to the usage plan (which was linked to the api gateway stage). I was also passing the api key in header correctly.

When none of these solutions work, do remember to check if your API is linked to WAF policy with only a certain ip-addresses permitted. Apparently, my IP address had changed today. So, WAF was blocking me. That can be an additional reason to get {"message": "Forbidden"} error.

Sambo answered 20/8, 2022 at 3:38 Comment(0)

E

1

I had the same issue today, but my problem was that I forgot to associate a usage plan with a stage.

Usage Plan -> Details -> Add Stage

Epiblast answered 20/4, 2023 at 12:9 Comment(0)

B

0

A source of error can be the global setting for "Api Key Source".

In the console, when inside the API, navigate to "Settings" > Scroll down to "API Key Source" > Select "HEADER".

Bamberg answered 11/8, 2023 at 15:41 Comment(0)

Recommended topics

Hot tags