I want to access an Amazon API Gateway API from another AWS account. How can I do this?
Short description
Public API endpoints (Regional or edge-optimized) can be accessed directly from the public endpoint stage URL or a custom domain name.
Private REST APIs endpoints can be accessed from a virtual private cloud in Amazon Virtual Private Cloud (Amazon VPC) using an interface VPC endpoint.
Amazon API Gateway endpoints can be accessed using AWS Identity and Access Management (IAM) authentication with cross-account access.
Resolution
Public API endpoints
You can access API Gateway public endpoints directly from the API stage URL. For example, https://0123456789.execute-api.{region}.amazonaws.com/{stage-name}.
You can also access API Gateway public endpoints using a custom domain name in a public hosted zone.
Note: Custom domain names aren't supported for private APIs.
For more information, see How can I set up a custom domain name for my API Gateway API?
Private REST API endpoints
You can access API Gateway private REST APIs in another AWS account with an Amazon Virtual Private Cloud (Amazon VPC) using an interface endpoint.
If your private REST API is located in an AWS account and you want to access it from another account, you can edit the resource policy.
For more information, see How can I access an API Gateway private REST API in another AWS account using an interface VPC endpoint?
APIs using IAM authentication
Additional configuration is required to access an API Gateway API with cross-account access that uses IAM authentication. The IAM role of the source account must be allowed explicit access in the resource policy similar to the following:
REST APIs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account-id-2:user/Alice",
"account-id-2"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:{account-id}:{api-id}/*/*/*"
]
}
]
}
For more information, see How do I activate IAM authentication for API Gateway REST APIs?
HTTP APIs
The option to use resource policies to provide IAM authentication for cross-accounts isn't available for API Gateway HTTP APIs.
You can use the sts:AssumeRole API action to assume a role for the HTTP API account. The assumed role provides temporary security credentials that can be used to invoke the HTTP API in another account.
For more information, see How can I provide cross-account IAM authorization for API Gateway HTTP APIs?
Related information
Creating a private API in Amazon API Gateway
Example: Allow users in another AWS account to use an API