在 AmazonAPI 网关中使用 API 密钥

I hope you are not missing to link the API key with the API

The x-api-key parameter is passed as a HTTP header parameter (i.e. it is not added to the JSON body). How you pass HTTP headers depend on the HTTP client you use.

For example, if you use curl and assuming that you POST the JSON payload, a request would look something like (where you replace [api-id] with the actual id and [region] with the AWS region of your API):

$ curl -X POST -H "x-api-key: theKey" -H "Content-Type: application/json" -d '{"key":"val"}' https://[api-id].execute-api.[region].amazonaws.com

I had to add an API Usage plan, and then link the plan to the API stage.

Seems like this is the only way to link the key to the API, not sure if this is a recent change on AWS.

If you set 'API Key Required' option to true, please check below.

1. you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.

2. The API Key had to be created.

3. In addition, you need to check a Usage Plan for the API Key on API Gateway Console.

If you set 'API' key required to true, you need to pass the api key as header.

API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points

1. Do you have a Usage Plan? if not need to create one.
2. Link you API with Usage Plan. For that add a stage, it will link your API
3. Do you have API Key? if not you need to create an API Key and enable it.
4. Add the Usage Plan which is linked with your API to this API Key. For that, add Usage Plan.

For Private API Gateways accessed through public DNS, we need to pass additional header of 'x-apigw-api-id' with the api id along with 'x-api-key' if configured.

curl -v https://{vpce-id}.execute-api.{region}.vpce.amazonaws.com/test -H 'x-apigw-api-id:{api-id}'

Its documented below,

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w20aac13c16c28c11

I was able to get a successful response from Lambda using below configuration in Postman native app -

Under authorization tab (For some reason this didn't work when i passed the same parameters under header)

Key : x-api-key

Value : your-api-key-value

Add to : Header

I don't have enough reputation to set this as a comment, But I was finally able to find the document specifying that 'x-api-key' belongs in the header for API Gateway calls that come from outside clients (like postman, swagger, etc.) in the AWS Documentation.

The relevant part:

To use header-sourced API keys:

1. Create an API with desired API methods. And deploy the API to a stage.
2. Create a new usage plan or choose an existing one. Add the deployed API stage to the usage plan. Attach an API key to the usage plan or choose an existing API key in the plan. Note the chosen API key value.
3. Set up API methods to require an API key.
4. Redeploy the API to the same stage. If you deploy the API to a new stage, make sure to update the usage plan to attach the new API stage.

The client can now call the API methods while supplying the x-api-key header with the chosen API key as the header value.

Choose an API key source

Here a good resource explaining different reasons why we could be getting a Forbidden. The two most important are the request URL and the x-api-key header:

https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/{resource_name}

Missing stage name will give you 403 for ex. Maybe for security reasons the response is not revealing an issue with the stage name, and thus you get a generic Forbidden.

I faced the same problem today. I had already mapped the API key to the usage plan (which was linked to the api gateway stage). I was also passing the api key in header correctly.

When none of these solutions work, do remember to check if your API is linked to WAF policy with only a certain ip-addresses permitted. Apparently, my IP address had changed today. So, WAF was blocking me. That can be an additional reason to get {"message": "Forbidden"} error.