1. Answers
  2. Setting up OIDC to secure AWS API Gateway endpoints

How do I set up OIDC to secure AWS API Gateway endpoints?

In this guide, we will set up OpenID Connect (OIDC) to secure AWS API Gateway endpoints using Pulumi. We will create an OIDC provider, configure an API Gateway, and set up a custom authorizer to validate tokens issued by an OIDC identity provider.

Key Points

  1. Define an OIDC provider in AWS IAM.
  2. Create an API Gateway REST API.
  3. Set up a custom authorizer to validate OIDC tokens.
  4. Secure API endpoints using the custom authorizer.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an OIDC provider
const oidcProvider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
    url: "https://example-oidc.com",
    clientIdLists: ["sts.amazonaws.com"],
    thumbprintLists: ["9e99a48a9960d2c8f0a5a1f8f1b1e1e1e1e1e1e1"],
});

// Create an API Gateway REST API
const api = new aws.apigateway.RestApi("api", {
    name: "my-api",
});

// Create a resource for the API
const resource = new aws.apigateway.Resource("resource", {
    restApi: api.id,
    parentId: api.rootResourceId,
    pathPart: "myresource",
});

// Create a custom authorizer
const authorizer = new aws.apigateway.Authorizer("authorizer", {
    restApi: api.id,
    name: "oidc-authorizer",
    type: "TOKEN",
    authorizerUri: pulumi.interpolate`arn:aws:apigateway:${aws.config.region}:lambda:path/2015-03-31/functions/${oidcProvider.arn}/invocations`,
    identitySource: "method.request.header.Authorization",
});

// Create a method for the resource
const method = new aws.apigateway.Method("method", {
    restApi: api.id,
    resourceId: resource.id,
    httpMethod: "GET",
    authorization: "CUSTOM",
    authorizerId: authorizer.id,
});

// Deploy the API
const deployment = new aws.apigateway.Deployment("deployment", {
    restApi: api.id,
    stageName: "prod",
});

// Export the URL of the API
export const apiUrl = pulumi.interpolate`${deployment.invokeUrl}${resource.pathPart}`;

Summary

In this tutorial, we set up an OIDC provider, created an API Gateway REST API, configured a custom authorizer to validate OIDC tokens, and secured the API endpoints using the custom authorizer. This ensures that only authenticated requests with valid OIDC tokens can access your API endpoints.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up