AWS API Gateway
1. Introduction
AWS API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services.
2. Reference
Creating an oauth2 custom lamda authorizer for use with Amazons (AWS) API Gateway using Hydra
Using javascript (Node.js)
2. Setting up custom domain name for REST API
Reference > https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
After deploying the API Gateway,eg applying terraform , the API can be invoked using the default base URL of the following format:
https://<api-id>.execute-api.<region>.amazonaws.com/<stage>
The API Gateway ID can be found in AWS "API Gateway" (eg: a1jeu0zg27) or, if so configured, int he output of terraform:
api-gw-deployment_invoke_url = "https://a1jeu0zg27.execute-api.eu-west-1.amazonaws.com/pre"
For adding a custom domain, go to AWS Route 53 and create a new entry of type CNAME with the value of the API Gateway hostname:
a1jeu0zg27.execute-api.eu-west-1.amazonaws.com
3. Lambda authorizer
Eg: fpdefense (Python), sixqueue (Python)
A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
Reference:
(Use API Gateway Lambda authorizers) > https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
(Creating an oauth2 custom lamda authorizer for use with Amazons (AWS) API Gateway using Hydra) [Node.js, JavaScript] > https://blogs.edwardwilde.com/2017/01/12/creating-an-oauth2-custom-lamda-authorizer-for-use-with-amazons-aws-api-gateway-using-hydra/
Implementation idea:
Python lambda, using eg lambda_setuptools for packaging as in fpdefense if using terraform or the default Serverless one.
Layer for access, and 5 minute caching, for SSM parameters as in sixqueue
Don't use environment variables for hydra configuration since they are lost when the infrastructure is destroyed and valueFrom SSM is not available
The API Gateway should be configured to cache authorizer results for 5 minutes