In a sample AWS serverless architecture, there would be S3 hosting a static website, calling API gateway endpoints via javascript, which in turn invokes Lambda functions.
How to authenticate against the AWS API gateway without making the credentials public by storing them in publicly accessible javascript source served from S3?
(not asking about backend credentials, these are easily stored (and encyprted) in environment variables accessible to the Lambda functions)
Your users would typically authenticate using Cognito or some other auth backend, exchanging their credentials for a JWT token or equivalent that is used to authenticate to API Gateway. Here's an example of the steps involved.
It's also possible to support unauthenticated users with Cognito.
If there are situations in which you need API Gateway calls to be made without authentication, then see this response.
You need to get a token from the client-side, using a third party identity provider, which you can pass to API Gateway. I personally use Auth0, which is free for up to two identity providers.
It's easy to integrate with your Single Page Application (Angular/React/Vue) to one or many Identity Providers, with good code examples.
It's also straightforward to integrate server-side validation of the auth tokens in API Gateway using a Custom Authenticator. Role Based Access can also be controlled using the Authorization Extension. The public part of the website can make API calls to API Endpoints that do not use a Custom Authenticator.
Here is a good guide from the Serverless Framework Website that shows Strategies for implementing user authentication in serverless applications, with a working example on GitHub.
Using something like AWS Cognito is the best idea (without having to worry about managing your own authentication servers).
In AWS Cognito, you can simply give unauthenticated users access to the invoking the API. See the docs for more (here and here).
