AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

How do I access an API Gateway API from another AWS account?

2 minute read

I want to access an Amazon API Gateway API from another AWS account.

Resolution

Public API endpoints

You can access API Gateway public endpoints (Regional or edge-optimized) directly from the API stage URL. For example, https://0123456789.execute-api.{region}.amazonaws.com/{stage-name}.

You can also use a custom domain name in a public hosted zone to access API Gateway public endpoints.

For more information, see How can I set up a custom domain name for my API Gateway API?

Private REST API endpoints

You can use an interface VPC endpoint to access private REST API endpoints from your Amazon Virtual Private Cloud (Amazon VPC).

To access a private REST API that's located in another account, edit the resource policy to grant cross-account permissions. You can also use a private custom domain name to associate your VPC endpoint in another account.

For more information, see How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?

Use IAM authentication

Additional configuration is required to access an API Gateway API with cross-account access that uses AWS Identity and Access Management (IAM) authentication. Make sure that the IAM entity in the consumer account has permissions to invoke the API through an identity-based policy.

The IAM role of the source account must be allowed explicit access in the resource policy, such as the following:

REST APIs

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::CONSUMER-ACCOUNT-ID:user/USERNAME",
                    "CONSUMER-ACCOUNT-ID"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:YOUR-REGION:API-OWNER-ACCOUNT-ID:API-ID///*"
            ]
        }
    ]
}

Note: Replace CONSUMER-ACCOUNT-ID, USERNAME, YOUR-REGION, API-OWNER-ACCOUNT-ID, and API-ID with your variables.

For more information, see How do I activate IAM authentication for API Gateway REST APIs?

HTTP APIs

The option to use resource policies to provide IAM authentication for cross-accounts isn't available for API Gateway HTTP APIs.

You can use the sts:AssumeRole API action to assume a role for the HTTP API account. The assumed role provides temporary security credentials that you can use to invoke the HTTP API in another account.

For more information, see How can I provide cross-account IAM authorization for API Gateway HTTP APIs?

Related information

Private REST APIs in API Gateway

Example: Allow roles in another AWS account to use an API

Topics: Serverless Front-End Web & Mobile Networking & Content Delivery
Tags: Amazon API Gateway
Language: English

AWS OFFICIALUpdated 8 months ago

No comments

Relevant content

Authenticating using IoT certificate in one account to access API Gateway/Lambda defined in another (sandbox) account
Accepted Answer
Ruslan_Yan
asked 3 years ago
Is it possible to have an HTTP API Gateway in account A invoke another HTTP API Gateway in account B using an HTTP proxy or HTTP URI integration and IAM auth for requests between the API Gateways?
rePost-User-5907367
asked 9 months ago
Access lambda in custom VPC from public API Gateway
Accepted Answer
AWS-User-2258024
asked 4 years ago
Can API Gateway send Access Logs to Firehose in a different account?
rePost-User-8932753
asked 3 years ago
Can I configure an API Gateway REST API for mTLS using a certificate truststore S3 object in a different account?
Jeremy Villa
asked a year ago
How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?
AWS OFFICIALUpdated 7 months ago
How can I resolve "HTTP 403 Forbidden" errors when invoking my API with cross-account IAM authentication for API Gateway?
AWS OFFICIALUpdated a year ago
How can I provide cross-account IAM authorization for API Gateway HTTP APIs?
AWS OFFICIALUpdated a year ago
How do I use an Application Load Balancer or a Network Load Balancer to invoke an API Gateway private API?
AWS OFFICIALUpdated 6 months ago
How to Authenticate and Authorize Applications with Different Permissions Using Amazon Cognito M2M
EXPERT
Purnaresa Y
published 4 months ago