How do I set up OIDC to secure AWS API Gateway endpoints?
In this guide, we will set up OpenID Connect (OIDC) to secure AWS API Gateway endpoints using Pulumi. We will create an OIDC provider, configure an API Gateway, and set up a custom authorizer to validate tokens issued by an OIDC identity provider.
Key Points
- Define an OIDC provider in AWS IAM.
- Create an API Gateway REST API.
- Set up a custom authorizer to validate OIDC tokens.
- Secure API endpoints using the custom authorizer.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create an OIDC provider
const oidcProvider = new aws.iam.OpenIdConnectProvider("oidcProvider", {
url: "https://example-oidc.com",
clientIdLists: ["sts.amazonaws.com"],
thumbprintLists: ["9e99a48a9960d2c8f0a5a1f8f1b1e1e1e1e1e1e1"],
});
// Create an API Gateway REST API
const api = new aws.apigateway.RestApi("api", {
name: "my-api",
});
// Create a resource for the API
const resource = new aws.apigateway.Resource("resource", {
restApi: api.id,
parentId: api.rootResourceId,
pathPart: "myresource",
});
// Create a custom authorizer
const authorizer = new aws.apigateway.Authorizer("authorizer", {
restApi: api.id,
name: "oidc-authorizer",
type: "TOKEN",
authorizerUri: pulumi.interpolate`arn:aws:apigateway:${aws.config.region}:lambda:path/2015-03-31/functions/${oidcProvider.arn}/invocations`,
identitySource: "method.request.header.Authorization",
});
// Create a method for the resource
const method = new aws.apigateway.Method("method", {
restApi: api.id,
resourceId: resource.id,
httpMethod: "GET",
authorization: "CUSTOM",
authorizerId: authorizer.id,
});
// Deploy the API
const deployment = new aws.apigateway.Deployment("deployment", {
restApi: api.id,
stageName: "prod",
});
// Export the URL of the API
export const apiUrl = pulumi.interpolate`${deployment.invokeUrl}${resource.pathPart}`;
Summary
In this tutorial, we set up an OIDC provider, created an API Gateway REST API, configured a custom authorizer to validate OIDC tokens, and secured the API endpoints using the custom authorizer. This ensures that only authenticated requests with valid OIDC tokens can access your API endpoints.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.