Connect AWS API Gateway

You connect Amazon API Gateway under Integrations → API Gateways. You give the connection a name, enter your AWS Account ID and AWS Region, and paste the Role ARN that Apiable assumes into your account. Then you run Test Connection. Amazon API Gateway is the fully implemented gateway path in Apiable.

Where do you connect Amazon API Gateway?

Go to Integrations → API Gateways, choose + Add Gateway, and on Select an API Gateway Type pick Amazon API Gateway - Basic or Amazon API Gateway - Advanced, then connect.

1. Open Integrations → API Gateways.
2. Choose + Add Gateway.
3. On Select an API Gateway Type, select Amazon API Gateway - Basic or Amazon API Gateway - Advanced.
4. Confirm the selection to open the connect form. The gateway type is shown at the top.

What does each AWS field mean?

The connect form asks for a name and three AWS values. Apiable assumes the role you name, so you do not paste an access key or secret.

The left side of the form shows Instructions for creating the role, with your Region and Account ID filled into the example values as you type. Follow them to create a role that trusts Apiable, then paste its ARN into Role ARN.

How do you set up the IAM role Apiable assumes?

Create an IAM role in your account with two parts: a trust policy that lets the Apiable AWS account assume it, and a permission policy that grants access to API Gateway. Paste the role's ARN into Role ARN.

Apiable assumes the role using AWS Security Token Service, with the session name GatewaySetupAssumeRole. It does not store an access key or secret. The Apiable CDK in the apiable/cdk repository creates this role for you with deploy-gatewayrole.sh, and the role ARN is in the stack output. The two policies below are what that role contains.

Trust policy

The trust policy names the Apiable AWS account 034444869755 as principal and allows sts:AssumeRole. This is what lets Apiable assume the role into your account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::034444869755:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permission policy

The permission policy grants access to API Gateway in the region your gateway runs. The CDK-created role allows API Gateway actions on every API Gateway resource in the region.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "apigateway:*",
      "Resource": "arn:aws:apigateway:REGION::/*"
    }
  ]
}

Replace REGION with your gateway's region, for example eu-central-1. Apiable exercises read access to list your REST APIs, stages, usage plans, and keys, and write access to create and update usage plans, stages, and API keys when it deploys subscriptions. If you prefer least privilege over apigateway:*, scope the policy to those read and write actions on the same resources.

How do you test and save the AWS connection?

Fill in all four fields, then click the refresh control labelled Test Connection. Apiable lists your REST APIs to confirm the role works. A green check reads passed; a red mark reads failed. Then click Save Changes.

1. Enter Name, AWS Account ID, AWS Region, and Role ARN. Test Connection stays disabled until all four are filled.
2. Click the refresh control to run Test Connection. Apiable calls your account and lists your REST APIs as the check.
3. Read the result: a green check means the test passed; a red mark means it failed.
4. Click Save Changes. The gateway appears on the API Gateways list with its Type, Created, and Edited times.

How do you point the AWS gateway at an Authorization Server?

Open the saved gateway and go to its Authorization tab. In the OAuth 2.0 section, choose Gateway-native only or Authorization Server. Picking Authorization Server reveals a picker of your connected servers.

The tab also shows a Level 0 API Key section, which is provided by the gateway and always available, and a Product-level governance section, which controls whether plans on this gateway must use the gateway's chosen server. Click Save Changes to apply. See Authorization Servers.

Where do your AWS APIs appear after connecting?

They appear when you build a plan. Apiable lists the APIs and stages on the connected gateway, and you choose which the plan exposes. The connect form itself only sets up the connection.

A saved Amazon gateway syncs your REST APIs and their stages. You select from them, and Apiable deploys each new subscription to the gateway. See APIs and coupling for picking APIs and how coupling works.

How do you meter usage on AWS for billing?

Connecting the gateway deploys subscriptions and applies rate limits, but it does not stream per-request usage. To bill on usage and see per-subscription analytics, enable access logging so Apiable receives a record of every call.

You deploy a Kinesis Firehose stream that ships your gateway's access logs to S3, then point the stage at it with a one-line log format. Apiable meters each call to the right plan and subscription. See Enable usage logs on AWS API Gateway for the full setup, then Monetization to turn that usage into invoices.

How do you re-sync an API specification from AWS?

In a plan's Documentation tab, choose Gateway Synchronization, then Fetch Latest Version to pull the current specification from AWS. If you have not uploaded a specification, Amazon generates one from the API schema.

What does Amazon API Gateway support in Apiable?

Everything in the core flow, plus the full set of per-key operations. Amazon API Gateway is the fully implemented adapter.

On Amazon API Gateway, Apiable implements API sync, subscription deployment, rotating a subscription's secret, enabling and disabling an API key, validating that a plan exists on the gateway, and reading usage per plan and per key. Kong, Azure, and Apigee connect and sync today but do not yet implement those per-key operations.

Troubleshooting

Match what you see to the fix.

Where to next