We are trying to include custom api snowplow enrichment, where we are trying to hit an API gateway in AWS which is secured by API Key. Currently snowplow api authentication supports only httpbasic authentication, is there any workaround for achieving this?
Unfortunately, not that I know of. Currently, as you said you can you either use HTTP Basic Auth or attach an API key as query parameter (which is also very unsecure).
Is it just an HTTP header that has to be attached to every request? Could you please create a ticket in the enrich bugtracker, explaining the desired flow of the authentication.
Maybe there’s an alternative, like proxy webserver in your subnet which receives unautheticated request from enrich EC2 node and then translates it to your original server? Feels very hacky, but best I can think of at the moment.
In addition to what @anton has mentioned, I think having this run in a private VPC (if possible) is a good idea - this would enable you to allow list connections from a certain host / CIDR as well.
The payload should be passed in the body already (for POST requests). In order to support an API key in the headers someone would need to add the functionality to the API enrichment (in the enrich codebase) to support attaching arbitrary headers to the request.