Not all gateways are meant to be public. Therefore, if you want to share limited API access with the world, one way to do it is through Cross-Origin Resource Sharing (CORS) and API Keys. This is the first of a two-part entry dedicated to creating closed API access using AWS API Gateway.


These are the tools you will need for API development

Tools for API Development


Cross-Origin Resource Sharing (CORS)

CORS cares about three things:

  1. The HEADER type
  2. The HTTP verb (GET, POST, DELETE, UPDATE)
  3. The origin of these requests (aka http://myspecificdomain.com).

Creating a Process

Step 1 - Providing Access using Headers

Method Response

Looking at this diagram, we show two blocks called Method Response and Integration Response.

Method Response is where we pick our Headers, Methods and Origins. Said differently, it's where we define our header-types, the HTTP verb and the allowed origin.

Access Control Allow

Step 2 - Describing which values are allowed into our Headers

Now that we understand the purpose of the Method Response, let's not look at Integration Reponse. This is where we describe which values are permissable from the outside world.

In this example we are allowing GET requests from anyone '*' in the world.
Header Values

Looking at the Header Mappings, all this says is that we are allowing three types of headers, two types of HTTP verbs and access from anyone in the world.

  • Access-Control-Allow-Headers => 'Content-Type,X-Amz-Date,Authorization'
  • Access-Control-Allow-Methods => 'GET,POST'
  • Access-Control-Allow-Origin => '*'

Resources