Provide AWS account ids access to API Gateway

Question

I want to give some AWS account ids access to call the api gateway that is in my account. What is the best way to do this?

I think there is a way to add resource policy that gives that AWS account access. Is that a good way to do that? I am talking about a production kind of service?

Also, does all the resouces of AWS account will get access to API gateway?

Answer 1

For each API Gateway endpoint we can change the Authorization option from None to AWS_IAM :

Then we can configure access to the API from the Resource Policy section of the API Gateway. From the Resource Policy page, click on the "AWS Account Whitelist" button to get a policy template, excerpted below:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::{{otherAWSAccountID}}:root",
            "arn:aws:iam::{{otherAWSAccountID}}:user/{{otherAWSUserName}}",
            "arn:aws:iam::{{otherAWSAccountID}}:role/{{otherAWSRoleName}}"
        ]
    },
    "Action": "execute-api:Invoke",
    "Resource": [
        "execute-api:/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
    ]
}

As an alternative (or in addition) to IAM authorization, we can control usage with API Keys, which enables the ability to rate limit (throttle) API calls and to set quotas.

More info:

• https://aws.amazon.com/blogs/compute/control-access-to-your-apis-using-amazon-api-gateway-resource-policies/
• https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html