Menu
Amazon API Gateway
Developer Guide

Get Ready to Use Amazon API Gateway

Before using API Gateway for the first time, you must have an AWS account set up. To create, configure and deploy an API in API Gateway, you must have appropriate IAM policy provisioned with permissible access rights to the API Gateway control service. To permit your API clients to invoke your API in API Gateway, you must set up the right IAM policy to allow the clients to call the API Gateway execution service. To allow API Gateway to invoke an AWS service in the back end, API Gateway must have permissions to assume the roles required to call the back-end AWS service. When an API Gateway API is set up to use AWS IAM roles and policies to control client access, the client must sign API Gateway API requests with Signature Version 4.

Understanding of these topics are important to use API Gateway and to follow the tutorials and instructions presented here. This section provides brief discussions of or quick references to these topics.

Sign Up for AWS

Go to http://aws.amazon.com/, choose Create an AWS Account, and follow the instructions therein.

Create an IAM User, Group or Role in Your AWS Account

For better security practices, you should refrain from using your AWS root account to access API Gateway. Instead, create a new AWS Identity and Access Management (IAM) user or use an existing one in your AWS account, and then access API Gateway with that IAM user credentials.

To manage access for a user, you can create an IAM user, grant the user API Gateway access permissions. To create a new IAM user, see Creating an IAM User.

To manage access for a group of users, you can create an IAM group, grant the group API Gateway access permissions and then add one or more IAM users to the group. To create an IAM group, see Creating IAM Groups.

To delegate access to specific users, apps or service, you can create an IAM role, add the specified users or groups to the role, and grant the users or groups API Gateway access permissions. To create an IAM role, see Creating IAM Roles.

When setting up your API, you need to specify the ARN of an IAM role to control access the API's methods. Make sure that this is ready when creating an API.

Grant IAM Users Permissions to Access API Gateway Control and Execution Services

In AWS, access permissions are stated as policies. A policy created by AWS is a managed policy and one created by a user is an inline policy.

For the API Gateway control service, the managed policy of AmazonAPIGatewayAdministrator (arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator) grants the full access to create, configure and deploy an API in API Gateway:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:*" ], "Resource": "arn:aws:apigateway:*::/*" } ] }

To grant the stated permissions to a user, attach the policy to the user, a group containing the user. To attach a policy, see Attaching Managed Policies.

Attaching the preceding policy to an IAM user provides the user with access to all API Gateway control service actions and resources associated with the AWS account. To learn how to restrict IAM users to a limited set of API Gateway control service actions and resources, see Use IAM Permissions.

For the API Gateway execution service, the managed policy of AmazonAPIGatewayInvokeFullAccess ( arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess) provides full access to invoke an API in API Gateway:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": "arn:aws:execute-api:*:*:*" } ] }

Attaching the preceding policy to an IAM user provides the user with access to all API Gateway execution service actions and resources associated with the AWS account. To learn how to restrict IAM users to a limited set of API Gateway execution service actions and resources, see Use IAM Permissions.

To grant the state permissions to a user, attach the policy to the user, a group containing the user. To attach a policy, see Attaching Managed Policies.

In this documentation, we will use managed policies, whenever possible. To create and use inline policies, see Working with Inline Policies.

Note

To complete the steps above, you must have permission to create the IAM policy and attach it to the desired IAM user.

Next Step

You are now ready to start using API Gateway. See Create an API Gateway API from an Example.