Amazon API Gateway Mutual TLS (mTLS) allows you to secure communication between your client and API Gateway by using client certificates issued by AWS Certificate Manager (ACM). When you want to use imported (non-ACM) certificates for mTLS with API Gateway, you need to specify the `ownershipVerificationCertificate` property in your AWS Cloud Development Kit (CDK) code.
Here's an example of how to do this using the AWS CDK in TypeScript:
```typescript
import * as cdk from 'aws-cdk-lib';
import * as apigateway from 'aws-cdk-lib/aws-apigateway';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyApiStack');
// Replace 'your-api-name' with your API name
const api = new apigateway.RestApi(stack, 'YourApiName', {
restApiName: 'YourApiName',
description: 'Your API description',
endpointTypes: [apigateway.EndpointType.REGIONAL], // or EDGE if using CloudFront
});
// Import your custom certificate from ACM or elsewhere
const importedCert = apigateway.Certificate.fromCertificateArn(
stack, 'CustomCertificate',
'arn:aws:acm:us-east-1:123456789012:certificate/your-imported-certificate-arn'
);
// Define the mutual TLS options
const mTLSOptions: apigateway.MtlsOptions = {
enabled: true,
validation: apigateway.MtlsValidation.fromCertificate(importedCert),
};
// Create your API Gateway resource and method
const resource = api.root.addResource('myresource');
const method = resource.addMethod('GET', new apigateway.HttpIntegration('http://example.com'), {
mTLS: mTLSOptions,
});
app.synth();
```
In this example:
1. You create an instance of `apigateway.Certificate` using the ARN of your imported certificate.
2. You define the `mtlsOptions` using this certificate.
3. When you create an API Gateway resource and method, you specify the `mTLS` property with the `mtlsOptions`.
Make sure to replace `'your-api-name'` with the actual name of your API, and replace the certificate ARN with the ARN of your imported certificate.
This code snippet demonstrates how to set up mTLS with an imported certificate using the AWS CDK. You can adjust it to suit your specific use case and import your custom certificates as needed.