how to add aws signature in android and call aws api gateway

To answer your immediate question, AWS can generate a Java SDK from your API Gateway for you.

Using the generated SDK, you can then pass an AWSCredentialsProvider object into your SDK.

         AWSCredentials credentials = new BasicAWSCredentials("AccessKey", "SecretKey");

ApiClientFactory factory = new ApiClientFactory()
  .credentialsProvider(credentials);

But...

You should never ship IAM access keys in a shipped application. These credentials can be retrieved by anyone who has installed your application by opening the .apk file.

Those credentials can then be used to access any other AWS actions the associated IAM User has access to in your account. This means anyone with access to the application apk (ie: anyone who can download the app from the app store) has access to your AWS account.

Depending what problem you're trying to solve will dictate the correct solution to the problem.

My Lambda needs an IAM Role to run

This is a fairly common mistake to make with API gateway when people see the "Invoke with caller credentials" option from API Gateway.

Uncheck this box and the Lambda will run with the IAM Role you defined in Lambda.

If requests fail after doing this, you need to make sure API Gateway has permission to invoke your lambda.

Restrict API to the application itself without users

Your application can't keep a secret and you have no user credentials.

You should disable Authorization completely, this is effectively a public API.

Requiring an API Key (and usage plan) to rate limit your API can be useful, but keep in mind this is not a security measure as, again - your application can't keep that key secret.

You want users to log in first (no existing source of users)

This makes sense if your API call is only designed to be called by registered users.

You'll need to configure Cognito User Pools for this. This shouldn't be confused with Cognito Federated Identities - which focuses on a different part of the problem. You can use it to solve this, but trust me - you'll be happier if you don't go down that path.

To get cracking you'll need to take a few steps:

  1. Create a User Pool (detailed settings explained here).

  2. Configure a Cognito Authorizer on your API Gateway.

  3. Create an App Client for your pool. Don't generate a client secret key when you do this.

  4. Integrate with your Android application. There's a prebuilt Android example available from AWS for getting the client side going: AmazonCognitoYourUserPoolsDemo

You want users to log in first (existing source of users)

If you can use SAML or OAuth2.0 / OpenID Connect to authenticate your users, follow the instructions and then configure federation.

If not, this is possibly the time to consider Cognito Federated Identities, specifically using the Developer Authenticated Identities process. But again, I'd really recommend against it.

API Gateway & Cognito is a massive topic. Hopefully the instructions provided are a great entry point to the relevant parts of the documentation.