Configuring REST API Gateway Authorization by IAM

Describe the bug I am trying to implement authorization to a REST endpoint through API Gateway that invokes backend resources. I use Amplify as a frontend framework to hit the API Gateway endpoints, and I have 2 related questions on how to implement authorization.

I know that the some ways to implement authorizations to API Gateway are

1. IAM
2. Cognito User Pools
3. Api Keys

In my frontend app, I do not use cognito user pools to authenticate users, so would like to implement authorization by IAM or Api Keys.

My first question is, how exactly should that happen when configuring Amplify.

Using this documentation: https://docs.amplify.aws/lib/restapi/authz/q/platform/js The docs provide a configuration step by using

Amplify.configure({
   API: {...details...}
})

But when deploying through the amplify CLI, it generates an aws-exports.js file, and the default set up is to

import config from ‘aws-exports’ Amplify.configure(config)

How can we add details to the config that’s already imported from the automatically generated aws-exports.js file? They also seem to be in slightly different formats, so not sure how to add additional details.

In the Graphql section of the API config documentation, there are ways to specify authorization modes. But in the REST Api section, there is no way to specify authorization modes. It just gives a cryptic “return { Authorization : ‘token’ }” line in the below example that doesn’t specify what that token is, and whether it is for IAM.

My second question is, if I want to use an API Key or IAM to authorize to API Gateway, how do I pass these details to Amplify so I don’t have to pass the same thing hundreds of times throughout the app each time I want to call an API?

I feel like there must be a way to pass the credentials once, and then every time the Amplify library makes an api call, it passes the configured credentials with it. Looking at the amplify docs, this is the closest example that I see, and I can’t seem to find any other examples on the internet.

Amplify.configure({
  API: {
    endpoints: [
      {
        name: "sampleCloudApi",
        endpoint: "https://xyz.execute-api.us-east-1.amazonaws.com/Development",
        custom_header: async () => { 
          return { Authorization : 'token' } 
          // Alternatively, with Cognito User Pools use this:
          // return { Authorization: `Bearer ${(await Auth.currentSession()).getAccessToken().getJwtToken()}` }
          // return { Authorization: `Bearer ${(await Auth.currentSession()).getIdToken().getJwtToken()}` }
        }
      }
    ]
  }
});

But this raises the earlier issue of configuring through the automatically generated aws-exports.js file and then adding more / duplicating the configurations…?

And even in this example, I can’t tell where “return { Authorization : ‘token’ }” is getting the ‘token’ from - am I supposed to import that or retrieve it from somewhere? The other options they provide using Auth.methods seem to be using the Cognito User Pools and not IAM…but this is irrelevant since I don’t use Cognito User Pools to authenticate my users. I don’t need to restrict API usage to only certain users within the app, I only want to restrict API usage to the app itself.

Bottom line - I can set up the API gateway correctly so it requires IAM or API key to be accessed. Amplify just doesn’t seem to provide a clear way to efficiently pass those credentials to the library when it’s being configured - the only solution I currently see is to hardcode an API key in the headers of every API call I make in the app, which I’m sure is not the best way to go about this.

Any help in clarifying this would be appreciated!