1. Answers
  2. Secure API Gateway Authentication with Keycloak for Model Services

How do I secure API Gateway authentication with Keycloak for model services?

To ensure your API Gateway is secured, you can integrate Keycloak as an identity provider for authentication. This guide shows you how to create an AWS API Gateway with Keycloak as the authentication provider for your model services. Here’s what we’ll cover:

  1. Setting up AWS API Gateway.
  2. Configuring Keycloak and integrating it with API Gateway.
  3. Defining necessary IAM roles and policies to manage access.
  4. Exporting required outputs for verification.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an API Gateway REST API
const example = new aws.apigateway.RestApi("example", {
    name: "example-api",
    description: "API for model services with Keycloak authentication",
});
// Resource representing the API endpoint
const exampleResource = new aws.apigateway.Resource("example_resource", {
    restApi: example.id,
    parentId: example.rootResourceId,
    pathPart: "models",
});
// Cognito User Pool setup (Keycloak integration requires this intermediary)
const exampleUserPool = new aws.cognito.UserPool("example", {name: "example-user-pool"});
// Integrate Keycloak with API Gateway as an Authorizer
const exampleAuthorizer = new aws.apigateway.Authorizer("example", {
    restApi: example.id,
    name: "keycloak-authorizer",
    type: "COGNITO_USER_POOLS",
    identitySource: "method.request.header.Authorization",
    providerArns: [exampleUserPool.arn],
});
// HTTP Method for the resource
const exampleMethod = new aws.apigateway.Method("example_method", {
    restApi: example.id,
    resourceId: exampleResource.id,
    httpMethod: "GET",
    authorization: "COGNITO_USER_POOLS",
    authorizerId: exampleAuthorizer.id,
});
// Role definition for API Gateway to invoke the authorizer
const apiGatewayRole = new aws.iam.Role("api_gateway_role", {
    name: "ApiGatewayRole",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "apigateway.amazonaws.com",
            },
            Action: "sts:AssumeRole",
        }],
    }),
});
// Attach policy to allow calling AWS services from API Gateway
const apiGatewayPolicy = new aws.iam.RolePolicy("api_gateway_policy", {
    role: apiGatewayRole.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: "execute-api:Invoke",
            Resource: "*",
        }],
    }),
});
// Deploy the API
const exampleDeployment = new aws.apigateway.Deployment("example", {
    restApi: example.id,
    stageName: "prod",
}, {
    dependsOn: [exampleMethod],
});
export const apiUrl = exampleDeployment.invokeUrl;
export const userPoolArn = exampleUserPool.arn;

In this setup, we configure an AWS API Gateway with a resource for “models” and a GET method that utilizes Keycloak for authentication via Cognito User Pools. The necessary IAM roles and policies are defined to manage and secure access. Finally, we deploy the API and output the URL for invocation along with the User Pool ARN for verification purposes.

In summary, the code demonstrates setting up an API Gateway secured with Keycloak authentication through Cognito, including necessary IAM roles and deployment.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up