Skip to main content

API Gateway

Quick Reference

# List REST APIs (v1)
aws apigateway get-rest-apis --query 'items[].[name,id]' --output table

# List HTTP APIs (v2)
aws apigatewayv2 get-apis --query 'Items[].[Name,ApiId,ApiEndpoint]' --output table

# Get API details
aws apigateway get-rest-api --rest-api-id n6wwdwmk2m

# List resources/routes for a REST API
aws apigateway get-resources --rest-api-id n6wwdwmk2m --query 'items[].[path,id]' --output table

# List routes for HTTP API
aws apigatewayv2 get-routes --api-id {api-id} --query 'Items[].[RouteKey]' --output table

Invoking with IAM Auth (Control Plane Gateway)

The control plane gateway uses IAM auth. Requires aws-requests-auth:

python3 -c "
import requests, json
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth

host = 'n6wwdwmk2m.execute-api.us-east-1.amazonaws.com'
auth = BotoAWSRequestsAuth(aws_host=host, aws_region='us-east-1', aws_service='execute-api')

resp = requests.post(f'https://{host}/prod/v2/indexes/list', auth=auth,
                     json={'systemAccountId': 'fnqm9psx'})
print(json.dumps(resp.json(), indent=2))
"

Key Gateways

GatewayTypePurposeAuth
Control Plane GatewayREST (v1)Data plane cell operationsIAM
Console APIREST (v1)Console frontend + monolith proxyCustom authorizer
Ecom APIHTTP (v2)Ecommerce API (Shopify etc.)Lambda authorizer
Admin Internal APIHTTP (v2)Admin dashboard backendJWT (Cloudflare Access)

Data Plane Cell Gateways

Cell config is in infra/*/config/{env}.json under data_plane_cells:

CellGateway IDAccountRegion
S (staging)n6wwdwmk2m468036072962us-east-1
PP (preprod)me25xyukr9010928202142us-east-1
P1 (prod)m6j1teqnte023568249301us-east-1

Endpoint pattern: https://{gateway_id}.execute-api.{region}.amazonaws.com/prod{path}

Key Endpoints

MethodPathBodyDescription
POST/v2/indexes/list{"systemAccountId": "..."}List indexes for a system account
POST/account/key/validate{"key": "..."}Validate an API key

What to Look For

SymptomCheck
5XX errorsCloudWatch metrics: 5XXError for the API
4XX errorsCloudWatch metrics: 4XXError, check WAF logs
LatencyCloudWatch metrics: Latency, IntegrationLatency
Auth failuresCheck authorizer Lambda logs (if custom)
Rate limitingWAF WebACL logs (2000 req/5min per IP/API key)