{"id":17169158,"url":"https://github.com/rnag/aws-cdk-secure-api","last_synced_at":"2026-04-29T11:02:03.581Z","repository":{"id":39574782,"uuid":"507064242","full_name":"rnag/aws-cdk-secure-api","owner":"rnag","description":"A CDK (v2) Construct Library for Secure REST APIs","archived":false,"fork":false,"pushed_at":"2023-06-23T19:19:31.000Z","size":74,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-20T01:11:55.732Z","etag":null,"topics":["api-gateway","api-key","aws","aws-api-gateway","aws-cdk","aws-cdk-construct","secure-api"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rnag.png","metadata":{"files":{"readme":"README.rst","changelog":"HISTORY.rst","contributing":"CONTRIBUTING.rst","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-24T15:46:13.000Z","updated_at":"2022-06-24T21:37:15.000Z","dependencies_parsed_at":"2024-10-14T23:25:17.175Z","dependency_job_id":"188f7b52-3533-4599-9434-2c0d06960c85","html_url":"https://github.com/rnag/aws-cdk-secure-api","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/rnag/aws-cdk-secure-api","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rnag%2Faws-cdk-secure-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rnag%2Faws-cdk-secure-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rnag%2Faws-cdk-secure-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rnag%2Faws-cdk-secure-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rnag","download_url":"https://codeload.github.com/rnag/aws-cdk-secure-api/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rnag%2Faws-cdk-secure-api/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32422532,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T06:29:02.080Z","status":"ssl_error","status_checked_at":"2026-04-29T06:29:00.631Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-gateway","api-key","aws","aws-api-gateway","aws-cdk","aws-cdk-construct","secure-api"],"created_at":"2024-10-14T23:25:15.201Z","updated_at":"2026-04-29T11:02:03.510Z","avatar_url":"https://github.com/rnag.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"==================\naws-cdk-secure-api\n==================\n\n\n.. image:: https://img.shields.io/pypi/v/aws-cdk-secure-api.svg\n        :target: https://pypi.org/project/aws-cdk-secure-api\n\n.. image:: https://img.shields.io/pypi/pyversions/aws-cdk-secure-api.svg\n        :target: https://pypi.org/project/aws-cdk-secure-api\n\n.. image:: https://github.com/rnag/aws-cdk-secure-api/actions/workflows/dev.yml/badge.svg\n        :target: https://github.com/rnag/aws-cdk-secure-api/actions/workflows/dev.yml\n\n.. image:: https://readthedocs.org/projects/aws-cdk-secure-api/badge/?version=latest\n        :target: https://aws-cdk-secure-api.readthedocs.io/en/latest/?version=latest\n        :alt: Documentation Status\n\n\n.. image:: https://pyup.io/repos/github/rnag/aws-cdk-secure-api/shield.svg\n     :target: https://pyup.io/repos/github/rnag/aws-cdk-secure-api/\n     :alt: Updates\n\n\nAn unofficial `AWS CDK v2`_ Construct Library for Secure REST APIs.\n\n* Documentation: https://aws-cdk-secure-api.readthedocs.io.\n\n.. _`AWS CDK v2`: https://aws.amazon.com/about-aws/whats-new/2021/12/aws-cloud-development-kit-cdk-generally-available/\n\nInstall\n-------\n\n.. code-block:: console\n\n    pip install aws-cdk-secure-api\n\nConstructs\n----------\n\n* ``SecureRestApi`` - A construct to create a (public) REST API secured behind an API key, which needs to be\n  specified in the ``x-api-key`` header for all requests.\n\n* ``IAMSecureRestApi`` - A construct to create a (public) REST API secured behind `AWS IAM authentication`_, which\n  requires IAM credentials `to be signed`_ and included in all requests.\n\n.. _to be signed: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-access-control-iam.html\n\nFeatures\n--------\n\n* A CDK Construct which sets up a `RestApi`_ secured behind (one of):\n\n  * API key\n\n    * An API key is `auto-generated`_ and stored in SSM Parameter Store (which is\n      a free service) as needed.\n\n    * Local cache for the API key, so that API calls are not needed in future\n      CDK deployments.\n\n  * `AWS IAM authentication`_\n\n    * An IAM User (and Policy/Role) is created with minimal permissions to call / invoke the API.\n\n    * The IAM User Credentials (Access Keys) are stored in AWS Secrets Manager.\n\n* Helper methods for all constructs, such as ``add_resource_and_lambda_methods``, to make it easier to\n  integrate a method for an AWS Lambda function for example.\n\n.. _`RestApi`: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html\n.. _`auto-generated`: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html\n\nUsage\n-----\n\nThe ``SecureRestApi`` construct represents a Secure REST API in Amazon API Gateway.\n\n    Use ``add_resource``, ``add_lambda_methods``, and ``add_methods`` to\n    configure the API model, as shown below.\n\n**Using a root resource**:\n\n.. code:: python3\n\n    from aws_cdk.aws_apigateway import StageOptions\n    from aws_cdk.aws_lambda import Function, Runtime\n\n    from aws_cdk_secure_api import Http, SecureRestApi\n\n    # noinspection PyTypeChecker\n    py_runtime: Runtime = Runtime.PYTHON_3_10\n\n    get_handler = Function(self, 'lambda1', runtime=py_runtime, ...)\n    put_handler = Function(self, 'lambda2', runtime=py_runtime, ...)\n\n    api = SecureRestApi(\n        self, 'api',\n        rest_api_name='My Secure Service',\n        # optional: specify a deployment stage\n        deploy_options=StageOptions(stage_name='dev')\n    )\n\n    api.add_lambda_methods(get_handler, 'GET')  # GET /\n    api.add_lambda_methods(put_handler, Http.PUT, Http.POST)  # PUT /, POST /\n\n**Using a custom-named resource**:\n\n    Replace above usage of ``add_lambda_methods`` with\n    ``add_resource_and_lambda_methods``, as shown below.\n\n.. code:: python3\n\n    # GET /path1\n    api.add_resource_and_lambda_methods(get_handler, '/path1', 'GET')\n    # PUT /path2, POST /path2\n    api.add_resource_and_lambda_methods(put_handler, '/path2', Http.PUT, Http.POST)\n\nThe ``IAMSecureRestApi`` construct represents a Secure REST API in Amazon API Gateway,\nwhich requires IAM Authorization.\n\n**Using a custom-named resource**:\n\n.. code:: python3\n\n    from aws_cdk.aws_apigateway import StageOptions\n    from aws_cdk.aws_lambda import Function, Runtime\n\n    from aws_cdk_secure_api import Http, IAMConfig, IAMSecureRestApi\n\n    # noinspection PyTypeChecker\n    py_runtime: Runtime = Runtime.PYTHON_3_10\n\n    get_handler = Function(self, 'lambda1', runtime=py_runtime, ...)\n    put_handler = Function(self, 'lambda2', runtime=py_runtime, ...)\n\n    api = IAMSecureRestApi(\n        self, 'api',\n        rest_api_name='My IAM Secure Service',\n        # optional: specify the name of secret to store IAM User Credentials\n        config=IAMConfig(secret_name='my-stack/iam-user-access-keys'),\n        # optional: specify a deployment stage\n        deploy_options=StageOptions(stage_name='dev')\n    )\n\n    # GET /path1\n    api.add_resource_and_lambda_methods(get_handler, '/path1', 'GET')\n    # PUT /path2, POST /path2\n    api.add_resource_and_lambda_methods(put_handler, '/path2', Http.PUT, Http.POST)\n\nTo use an IAM Role instead of attaching a Policy directly to User:\n\n.. code:: python3\n\n    IAMConfig(use_role=True)\n\nAWS Profile\n-----------\n\nNote that if you normally pass the ``--profile`` to the ``cdk`` tool, for example such as::\n\n    cdk deploy --profile my-aws-profile\n\nThe CDK construct won't be able to detect the AWS profile in this particular case.\nA few workarounds can be used for this:\n\n1. The environment variable ``AWS_PROFILE`` can be set before calling the ``cdk`` tool.\n2. The ``profile`` attribute can be passed in to the ``config`` parameter for ``SecureRestApi``.\n3. The ``profile`` context variable can be passed in to the ``cdk`` tool,\n   as shown below::\n\n       cdk deploy --profile my-profile -c profile=my-profile\n\nAPI Keys\n--------\n\nHere is the process that the CDK construct uses for generating\nor using an API key for a REST API.\n\n1. First, it tries to read the API key from local cache, which is located in your\n   home directory, under ``~/.cdk/cache/apigw_api_keys.json``.\n2. If an API key is found, then it proceeds to use the cached key value, and *does not*\n   perform the following steps.\n3. An API call is made to read the key from AWS SSM Parameter Store. The param\n   name is ``/{STACK NAME}/api-key``, where ``{STACK NAME}`` is the name of the CDK stack.\n4. If the parameter does not exist, an random API key value is auto-generated, and a new\n   SSM Parameter is created in the same AWS account and region that the CDK stack is deployed to.\n5. The API key value is then cached on the local drive, under the ``~/.cdk/cache`` folder.\n\nStack Outputs\n-------------\n\nThe following *stack outputs* will additionally be added to the CDK stack:\n\n* ``APIEndpoint`` - The base endpoint of the Secure REST API.\n\n  * *Note:* this output will not show up if ``override_endpoint_name`` is disabled\n    in the ``config`` parameter.\n\n* ``APIKey`` - The API key for the endpoint, which needs to be specified\n  as a value in an HTTP request's ``x-api-key`` header.\n\n* ``APIIAMUserCredentials`` - The URL link (to input in a browser) for the Secret\n  stored in AWS Secrets Manager containing the AWS IAM Credentials for invoking the REST API.\n\n* ``APIIAMRoleARN`` - The ARN of the IAM Role, used in an `AssumeRole`_ API call with the IAM User credentials.\n\n.. _`AssumeRole`: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\n\nCredits\n-------\n\nThis package was created with Cookiecutter_ and the `rnag/cookiecutter-pypackage`_ project template.\n\n.. _AWS IAM authentication: https://repost.aws/knowledge-center/iam-authentication-api-gateway\n.. _Cookiecutter: https://github.com/cookiecutter/cookiecutter\n.. _`rnag/cookiecutter-pypackage`: https://github.com/rnag/cookiecutter-pypackage\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frnag%2Faws-cdk-secure-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frnag%2Faws-cdk-secure-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frnag%2Faws-cdk-secure-api/lists"}