14

I have a number of lambda functions exposed via the AWS Gateway Service as such:

- /some-resource
    GET
    POST
    OPTIONS
- /some-other-resource
    GET
    POST
    OPTIONS
- /some-public-resource
    GET
    OPTIONS

The resources are secured with Access Tokens. However, I would like to allow anonymous access to the /some-public-resource resource, so that it can be accessed without requiring any authentication.

I have tried to create a policy in IAM for that resource's ARN (although I am not sure that I got the Gateway API Resource ARN correct as I couldn't find any documentation on how to set this value), however, I am still unable to access that end-point without an access token.

Does anyone have an idea of whether or not there is an additional step I need to take, or if there is something else I have done wrong?

ralfe
  • 1,412
  • 2
  • 15
  • 25

1 Answers1

13

You could disable any authorization and API key requirement from the console as follow:

This step must be applied to the whole set of methods (POST, PATCH, DELETE, and so on) in your resource /some-public-resource.

Click on Method Request link (invokeworker2 = some-public-resource)

enter image description here

Then, disable Authorization and API key Required

enter image description here

Like I said, you need to do that for every method in your resource /some-public-resource.

Now, your resource /some-public-resource is open and clients won't need to pass any tokens for authorization.

Ele
  • 33,468
  • 7
  • 37
  • 75
  • 2
    Hi Ele, I did what you sugested but I got "{"message": "Missing Authentication Token"}" response, any idea that you can share with me? – Eralper Feb 26 '19 at 09:37
  • 4
    When you change the settings remember to click the 'Actions' button and redeploy the API to a stage. Changes to the API settings won't become active until the API is deployed. – Tim Sep 17 '19 at 00:57
  • Note that this makes your route fully public. Anyone can use it. You may still want to protect the route by authorizing anonymous users. AWS Cognito Identity Pool allows that. You can create an AWS_IAM Role which anonymous users can assume. By calling the Cognito Identity pool, your application can get your anonymous visitor a temporary role. This role authorizes API calls to some of your API routes. If I don't provide a Cognito token access will be denied with : "{"message": "Missing Authentication Token"}" – koxon Feb 21 '23 at 02:32