To authenticate for AWS API Gateway APIs via IAM

(If you need to protect an API using IAM, read this complementary post first)

After protecting an API using IAM, the next logical step would be to invoke it.

First, obtain the two pieces of critical information, access key and secret key, from the person who had set up the authentication. It is impossible to proceed any further without these information.

Next, the bulk of the effort is in signing our HTTP request with the provided access key and secret key. Please follow the complete AWS guide.

While following the guide, I found it especially useful to constantly compare my results against Postman’s generated request header:

For instance, I often checked my results against Postman’s generated Authorization header, which should yield the same single-lined value:

AWS4-HMAC-SHA256 Credential=AKIAZHJFEC43EZ7TNU76/20210329/<region>/execute-api/aws4_request, SignedHeaders=dummy1;host;x-amz-content-sha256;x-amz-date, Signature=gf65c7400f825e77f752457b6158249a889bcb15c212ad47d5bf97bfb1431002

Summary of Signing Steps

Task 1: Create a canonical request for Signature Version 4

Arrange the contents of your request (host, action, headers, etc.) into a standard (canonical) format. The canonical request is one of the inputs used to create a string to sign.

Task 2: Create a string to sign for Signature Version 4

Create a string to sign with the canonical request and extra information such as the algorithm, request date, credential scope, and the digest (hash) of the canonical request.

Task 3: Calculate the signature for AWS Signature Version 4

Derive a signing key by performing a succession of keyed hash operations (HMAC operations) on the request date, Region, and service, with your AWS secret access key as the key for the initial hashing operation. After you derive the signing key, you then calculate the signature by performing a keyed hash operation on the string to sign. Use the derived signing key as the hash key for this operation.

Task 4: Add the signature to the HTTP request

After you calculate the signature, add it to an HTTP header or to the query string of the request.