Granting IAM User Access to API Gateway Execute API on Another Account: A Comprehensive Guide
Problem: You need to grant an IAM user in your account the ability to execute an API Gateway API deployed in a different AWS account. This scenario can arise when you have a separate account for hosting your API Gateway and another account for the application that needs to invoke the API.
Rephrased: You want someone in your team to use an API that's not hosted in your own AWS account, but instead in a separate account for API management. How can you give them the right permissions?
Scenario & Original Code
Let's say you have an API Gateway API deployed in Account A, and you need to grant access to a user in Account B. Here's the typical scenario:
Account A (API Gateway Account):
- API Gateway REST API:
my-api - IAM Role:
api-gateway-executor-role(with necessary permissions)
Account B (User Account):
- IAM User:
my-user - Code:
aws apigateway get-rest-apis --rest-api-id <api-id>
The above code will fail with an error "AccessDeniedException: User: [my-user] is not authorized to perform: apigateway:GetRestApis."
Solution & Explanation
The solution involves using cross-account access and IAM roles. You need to:
- Create a Role in Account A: The role will have the necessary permissions to execute the API. This role will be assumed by the user in Account B.
- Grant the Role Permissions in Account A: Attach a policy to the role that grants the necessary permissions to access and execute the API.
- Grant the Role Permissions in Account B: Create an IAM policy that allows the user in Account B to assume the role you created in Account A.
Detailed Steps:
Account A (API Gateway Account):
- Create an IAM Role: In the IAM console, go to Roles -> Create Role.
- Select "AWS Service" as the trusted entity.
- Choose "API Gateway" as the service.
- Give the role a descriptive name like "api-gateway-executor-role".
- Attach Policy: Go to the role's permissions tab.
- Attach the policy "AmazonAPIGatewayInvokeFullAccess" to grant full access to API Gateway.
- Alternatively, create a custom policy with granular permissions based on your requirements.
Account B (User Account):
- Create IAM Policy: In the IAM console, go to Policies -> Create Policy.
- Select the "JSON" tab and paste the following code:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-ID-of-Account-A>:role/api-gateway-executor-role"
},
"Action": "sts:AssumeRole"
}
]
}
Replace <Account-ID-of-Account-A> with the account ID of Account A.
- Attach Policy to User: Go to the IAM user's permissions tab.
- Attach the policy created in the previous step.
Account B (User Account):
Code Changes:
import boto3
# Assume the role in Account A
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn="arn:aws:iam::<Account-ID-of-Account-A>:role/api-gateway-executor-role",
RoleSessionName="api-gateway-executor-session"
)
# Create a new boto3 client using the assumed role credentials
api_gateway_client = boto3.client(
'apigateway',
aws_access_key_id=assumed_role_object['Credentials']['AccessKeyId'],
aws_secret_access_key=assumed_role_object['Credentials']['SecretAccessKey'],
aws_session_token=assumed_role_object['Credentials']['SessionToken']
)
# Execute the API Gateway API
response = api_gateway_client.get_rest_apis(restApiId='<api-id>')
print(response)
This code will now successfully execute the API Gateway API in Account A.
Additional Value
- Security: This approach uses cross-account access and IAM roles, ensuring that the user in Account B only has access to the API Gateway API they need to interact with, following the principle of least privilege.
- Granular Permissions: You can create custom policies to grant specific permissions based on your requirements. For example, you can allow users to only invoke specific methods or access certain resources within the API Gateway.
- Scalability: This solution scales well for managing access to multiple APIs across different AWS accounts.
References & Resources
By following this guide, you can safely and effectively grant IAM users access to execute API Gateway APIs in different AWS accounts, enabling seamless integration and collaboration across your organization.
