In this article, I will show how you can set up a protected API endpoint using AWS Lamda, API Gateway, and automate the deployment of the stack using AWS CloudFormation.
If you don’t have prior knowledge of the resources/components mentioned above, read the high-level description below.
AWS Lambda#
AWS Lambda lets you run code without provisioning or managing servers. With Lambda, you can run code for virtually any type of application or backend service — all with zero administration. Read more
Amazon API Gateway#
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the “front door” for applications to access data, business logic, or functionality from your backend services. Read more
AWS CloudFormation#
AWS CloudFormation provides a common language for you to model and provision AWS and third-party application resources in your cloud environment. AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. Read more
In the example, I have a sample inline API service deployed as Lambda and then expose the endpoint from that via the API gateway. For protecting the APIs, I will be using a managed API Key provided by AWS. There are many ways to protect an API endpoint depending on different use cases; I am not going to cover those in this article.
CloudFormation Template#
Below is the template file, we will be using.
Let’s take a look at the important definitions.
Lambda function#
I am using an inline lambda function based on NodeJS. The function responds with `Hello World!` for the API invocation.
API Key#
As mentioned before, I am using an API Key to protect the API. Below code, block define an API key, Usage Plan, and Usage Plan Key. You can see that I am adding ApiKeyRequired: true as part of the AWS::ApiGateway::Method
API Gateway#
Defining the Gateway includes many resources, including API stage and Deployment.
In addition to this, you can also see a couple of IAM groups (AWS::IAM::Role) are defined on the template. One group is for the Gateway to access the Lambda function and another one for Cloud Watch log creation.
I also defined a few parameters; these are optional.
Create the Stack#
Now that you understand the resource definitions on the template file, we can proceed to create the stack. I am going to create the stack using `aws cli`. Refer this to setup your `aws cli`. You can also create the stack via AWS Console
Validate the template file#
aws cloudformation validate-template — template-body file://stack.yaml
Deploy the stack#
aws cloudformation deploy — stack-name lambda-api — template-file stack.yaml — capabilities CAPABILITY\_IAM
Once the stack is created, you will below in your console
Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack — lambda-api
List the APIs#
aws apigateway get-rest-apis
Get the API Id from above and construct your api url using the format https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/
If you are unsure about the region, you can run aws configure get region
Get your API Key#
Execute below command and copy value
aws apigateway get-api-keys — include-value
Invoke the API#
curl -X GET \\
https:/{restapi\_id}.execute-api.{region}.amazonaws.com/v1/hello \\
-H ‘x-api-key: {your api key}’
For successful requests, you can see a response like below.
Hello World!
Conclusion#
You now have a protected API with a Lambda integration! As a next step, you can replace the inline Lambda function with a real-world Lambda code. You can upload your Lambda functions to the Amazon S3 bucket and use that in your template. Check the S3 example here . Good luck!