Amazon web services AWS Api是否指定方法所需的Api密钥?
我有下面的CloudFormation模板,它创建了我的API网关(由Lambda支持)。我想启用API键作为一个或多个方法的要求。我已经成功地创建了API密钥、使用计划以及两者之间的关联,但我不知道如何为某些方法实际启用“requires API Key”属性。AWS的文档指定了“ApiKeyRequired”属性作为AWS::ApiGateway::Method组件的一部分,但我的CF模板没有或使用此组件?考虑到我以前从未需要过它,我不确定如何使用它 我的模板如下:Amazon web services AWS Api是否指定方法所需的Api密钥?,amazon-web-services,amazon-cloudformation,aws-api-gateway,Amazon Web Services,Amazon Cloudformation,Aws Api Gateway,我有下面的CloudFormation模板,它创建了我的API网关(由Lambda支持)。我想启用API键作为一个或多个方法的要求。我已经成功地创建了API密钥、使用计划以及两者之间的关联,但我不知道如何为某些方法实际启用“requires API Key”属性。AWS的文档指定了“ApiKeyRequired”属性作为AWS::ApiGateway::Method组件的一部分,但我的CF模板没有或使用此组件?考虑到我以前从未需要过它,我不确定如何使用它 我的模板如下: "Serverle
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"This is a placeholder for the description of this web api",
"ApiKeySourceType":"HEADER",
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"paths": {
"/list/tables": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableList.Arn}/invocations"
}
},
"security": [
{
"api_key": []
}
],
"responses": {}
}
},
"/list/columns/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetColumnList.Arn}/invocations"
}
},
"responses": {}
}
},
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
},
"securityDefinitions": {
"type": "api_key",
"name": "x-api-key",
"in": "header"
}
},
"swagger": "2.0"
}
}
},
我认为在每个路径下添加
security
,然后在path
下添加securityDefinitions
,都会奏效
"paths": {
"/list/tables": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-
03-31/functions/${GetTableList.Arn}/invocations"
}
},
"security": [
{
"api_key": []
}
]
}
}
},
"securityDefinitions": {
"type": "api_key",
"name": "x-api-key",
"in": "header"
}
我遇到了同样的问题,并通过放弃在AWS::ApiGateway::RestApi中使用Body属性来解决它,方法是使用:
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"DependsOn": "AspNetCoreFunction",
"Properties": {
"Description":"My Api Gateway",
"ApiKeySourceType" : "HEADER",
"EndpointConfiguration" : { "Types" : [ "REGIONAL" ]}
}
},
然后,我创建了一个代理资源。在本例中,您将为每个路径创建一个资源。在我有“{proxy+}”的地方,您将有“/list/tables”
最后,我能够定义一个AWS::ApiGateway::方法,然后强制使用API密钥:
"CoreApiPostMethod":
{
"Type": "AWS::ApiGateway::Method",
"DependsOn" : ["AspNetCoreFunction", "ServerlessRestApi"],
"Properties":
{
"AuthorizationType" :"NONE",
"OperationName" : "My API Post Request",
"ApiKeyRequired" : true,
"ResourceId": { "Ref": "ProxyResource" },
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"HttpMethod" : "POST",
"Integration" : {
"ConnectionType" : "INTERNET",
"IntegrationHttpMethod" : "POST",
"Type" : "AWS_PROXY",
"Uri" : {
"Fn::Sub":"arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${AspNetCoreFunction.Arn}/invocations"
}
}
}
},
然后对其他HTTP方法遵循相同的模式。它比原始配置更详细,但它确实让您对方法配置有更多的控制权。迟到了
"x-amazon-apigateway-api-key-source" : "HEADER",
及
“安全定义”:{
"": {
“类型”:“apiKey”,
“名称”:“x-api-key”,
“在”:“标题”
}
}
及
“安全性”:[{
"" : []
}]
因此,一个可行的解决方案可能是
"Body": {
"swagger": "2.0",
"info": {
"version": "2017-01-27T21:44:58Z",
"title": {"Ref": "AWS::StackName"}
},
"basePath": "/bbd",
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes": [
"https"
],
"paths": {
"/{proxy+}": {
"x-amazon-apigateway-any-method": {
"produces": [
"application/json"
],
"parameters": [
{
"name": "proxy",
"in": "path",
"required": true,
"type": "string"
}
],
"security" : [{
"bbd" : []
}],
"responses": {},
"x-amazon-apigateway-integration": {
"responses": {
"default": {
"statusCode": "200"
}
},
"uri": "<URL>",
"passthroughBehavior": "when_no_match",
"httpMethod": "POST",
"cacheNamespace": "xh7gp9",
"cacheKeyParameters": [
"method.request.path.proxy"
],
"contentHandling": "CONVERT_TO_TEXT",
"type": "aws_proxy"
}
}
}
},
"securityDefinitions": {
"bbd": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
“正文”:{
“招摇过市”:“2.0”,
“信息”:{
“版本”:“2017-01-27T21:44:58Z”,
“title”:{“Ref”:“AWS::StackName”}
},
“基本路径”:“/bbd”,
“x-amazon-apigateway-api-key-source”:“标题”,
“计划”:[
“https”
],
“路径”:{
“/{proxy+}”:{
“x-amazon-apigateway-any-method”:{
“生产”:[
“应用程序/json”
],
“参数”:[
{
“名称”:“代理”,
“在”:“路径”,
“必需”:正确,
“类型”:“字符串”
}
],
“安全”:[{
“bbd”:[]
}],
“答复”:{},
“x-amazon-apigateway-integration”:{
“答复”:{
“默认值”:{
“状态代码”:“200”
}
},
“uri”:“,
“传递行为”:“当不匹配时”,
“httpMethod”:“POST”,
“CacheMespace”:“xh7gp9”,
“cacheKeyParameters”:[
“方法.请求.路径.代理”
],
“内容处理”:“将内容转换为文本”,
“类型”:“aws_代理”
}
}
}
},
“安全定义”:{
“bbd”:{
“类型”:“apiKey”,
“名称”:“x-api-key”,
“在”:“标题”
}
}
}
在body中添加安全元素和在securityDefinitions中添加myKey元素对我很有用。完整指南。本指南提供了为任何API网关方法启用API密钥的基本设置
用于定义API。它支持一个名为ApiKeyRequired的属性。将此设置为true
下面是上面指南中的代码片段
AuthApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ApiKeyRequired: 'true' # This makes passing ApiKey mandatory
DefinitionBody:
swagger: '2.0'
info: ...
感谢Athar-我是否需要在security>api\u密钥值中指定密钥Id?(在示例中,您将其显示为空括号)这是在Swagger中定义安全作用域的语法。所以它应该只是一个空数组。请参阅步骤2“在感谢中应用安全性”,我今天将检查它,如果成功,我会将问题标记为已回答。谢谢Athar,我真的很感谢你在这方面花时间。不幸的是,这似乎不起作用。该方法链接到使用计划,但它表示该方法不需要API密钥。我将用我的新模板更新我的帖子。我已经尝试过该解决方案,发现它不会强制该方法需要API密钥。虽然Swagger文档表示已设置了所需的安全性,但它不会影响通过云形成部署时的设置。我将试一试,它看起来最像适合我的解决方案(尽管对于我拥有的所有路径,它都会非常详细:P)
"security" : [{
"<SOME_NAME>" : []
}]
"Body": {
"swagger": "2.0",
"info": {
"version": "2017-01-27T21:44:58Z",
"title": {"Ref": "AWS::StackName"}
},
"basePath": "/bbd",
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes": [
"https"
],
"paths": {
"/{proxy+}": {
"x-amazon-apigateway-any-method": {
"produces": [
"application/json"
],
"parameters": [
{
"name": "proxy",
"in": "path",
"required": true,
"type": "string"
}
],
"security" : [{
"bbd" : []
}],
"responses": {},
"x-amazon-apigateway-integration": {
"responses": {
"default": {
"statusCode": "200"
}
},
"uri": "<URL>",
"passthroughBehavior": "when_no_match",
"httpMethod": "POST",
"cacheNamespace": "xh7gp9",
"cacheKeyParameters": [
"method.request.path.proxy"
],
"contentHandling": "CONVERT_TO_TEXT",
"type": "aws_proxy"
}
}
}
},
"securityDefinitions": {
"bbd": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
"security" : [{
"myKey" : []
}],
"myKey": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
},
AuthApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ApiKeyRequired: 'true' # This makes passing ApiKey mandatory
DefinitionBody:
swagger: '2.0'
info: ...