Amazon API Gateway REST API with a Client Certificate

The SAM template deploys an Amazon API Gateway REST API endpoint that uses a Client Certificate that will be used to call your integration endpoints in the 'Prod' Stage.

Note: when deploying this pattern, CAPABILITY_IAM is required.

Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-client-certificate

Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.


Deployment Instructions

  1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:

    git clone https://github.com/aws-samples/serverless-patterns
  2. Change directory to the pattern directory:

    cd apigw-client-certificate
  3. From the command line, use AWS SAM to deploy the AWS resources for the pattern as specified in the template.yml file:

    sam deploy -g
  4. During the prompts:

    • Enter a stack name
    • Select the desired AWS Region
    • Allow SAM to create roles with the required permissions if needed.

    Once you have run guided mode once, you can use sam deploy in future to use these defaults.

  5. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for testing.


The stack will output the api endpoint. Please check the instructions at https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html#certificate-validation to configure a backend HTTPS server to verify the client certificate.


  1. Delete the stack
    sam delete
  2. Confirm the stack has been deleted
    aws cloudformation list-stacks --query "StackSummaries[?contains(StackName,'STACK_NAME')].StackStatus"

All Rights Reserved

Let's register a Viblo Account to get more interesting posts.