Amazon API Gateway Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 165: Line 165:


  arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
  arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
<font color=darkgray>To refine the permissions, see Amazon API Gateway Developer Guide Page 241 "Control Access to an API with IAM Permissions".</font>

Revision as of 05:04, 5 February 2019

External

Internal

REST and Hypermedia Concepts

Resource, Method, Request, Response

Amazon API Gateway

Amazon API Gateway is the preferred way to expose internal AWS endpoints to external clients, in form of a consistent and scalable programming REST interface (REST API). Amazon API Gateway can expose the following integration endpoints: internal HTTP(S) endpoints - representing custom services, AWS Lambda functions and other AWS services, such as Amazon Kinesis or Amazon S3. The backend endpoints are exposed by creating an API Gateway REST API (RestApi) and integrating API methods with their corresponding backend endpoints. Each of the backend endpoints specified above is associated with an integration type.

Amazon Gateway URL

The URL is determined by a protocol (HTTP(S) or WSS), a hostname, a stage name and, for REST APIs, the resource path.

Amazon Gateway API Base URL

The hostname and the stage name determine the API's base URL.

Amazon Gateway Hostname

https://{restapi-id}.execute-api.{region}.amazonaws.com

Integration

Integration Endpoints and Types

Amazon API Gateway can integrate three types of backend endpoints, and can also simulate a mock integration endpoint:

The integration type is defined by how the API Gateway passes data to and from the integration endpoint:

Proxy Integration

In general, proxy integration implies a simple integration setup with a single HTTP endpoint or Lambda function, where the client request is passed with minimal, or no processing at all, to the backend, as input, and the backend processing result is passed directly to the client. This integration relies on direct interaction between the client and the integrated backend. Because of that, the backend can evolve without requiring updates or reconfiguration of the integration point in the API Gateway. There is no need to set the integration request or integration response. This is the preferred integration type to call Lambda functions through the API Gateway.

Custom Integration

Custom integration implies a more elaborated setup procedure. For a custom integration, both the integration request and integration response must be configured, and necessary data mappings from the method request to the integration request and from the integration response to the method response must be put in place. Among other things, custom integration allows for reuse of configured mapping templates for multiple integration endpoints that have similar requirements of the input and output data formats. Since the setup is more involved, custom integration is recommended for more advanced application scenarios.

Mock Integration

This integration type lets API Gateway return a response without sending the request further to the backend. It is useful for testing and enables collaborative development of an API, where a team can isolate their development effort by setting up simulations of the API components owned by other teams.

Configuring Integration Type

For details on how to configure a specific integration type, see below:

Integration resource

Integration Request

Integration Response

Also see IntegrationResponse below.

Mapping Template

API Gateway Resources

Amazon API Gateway Resources that Require Redeployment

Where are these resources living?

RestApi

Resource

Method

RequestValidator

MethodResponse

Integration

Integration resource reference

The integration type can be specified programmatically by setting the type property of the Integration resource as such:

  • AWS: exposes an AWS service action, including Lambda, as an integration endpoint, via custom integration.
  • AWS_PROXY: exposes a Lambda function (but no other AWS service) as an integration endpoint, via proxy integration.
  • HTTP: exposes a HTTP(S) endpoint as an integration endpoint, via custom integration.
  • HTTP_PROXY: exposes a HTTP(S) endpoint as an integration endpoin, via proxy integration.
  • MOCK: sets up a mock integration endpoint.

IntegrationResponse

Also see Integration Response above.

GatewayResponse

DocumentationPart

DocumentationVersion

Model

ApiKey

Authorizer

VpcLink

Amazon API Gateway Resources that Require Configuration Changes without Redeployment

Account

Deployment (API Deployment)

A Deployment resource represents a REST API deployment in Amazon API Gateway. The Deployment is like an executable of an API represented by a RestApi resource. Once an RestApi is created, it requires deployment and association with a stage to make it callable by its users. To call a deployed URL, clients submit requests against the API's URL.

Resource updates require redeploying the API, whereas configuration updates to not.

DomainName

BasePathMapping

Stage

Stage

An API stage is represented by a Stage resource and represents a named reference to a deployment, and at the same time, a snapshot of the API, including methods, integrations, models, mapping templates, Lambda authorizers, etc.

Usage

UsagePlan

API Gateway Link Relations

Link Relations

API Documentation

See DocumentationPart and DocumentationVersion above.

X-Ray Integration

API request latency issues can be troubleshot by enabling AWS X-Ray. AWS X-Ray can be used to trance API requests and downstream services.

CORS

The API Gateway console integrates the OPTIONS method to support CORS with a mock integration.

Security

Creation, Configuration and Deployment

To create, configure and deploy an API in API Gateway, the IAM user doing it must have provisioned an IAM policy that includes access permissions for manipulating the API Gateway resources and link relations. The "AmazonAPIGatewayAdministrator" AWS-managed policy grants full access to create, configure and deploy an API in API Gateway:

arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator

Attaching the preceding policy to an IAM user allows ("Effect":"Allow") the user to act with any API Gateway actions ("Action":["apigateway:*"]) on any API Gateway resources (arn:aws:apigateway:*::/*) that are associated with the user's AWS account. To refine the permissions, see Amazon API Gateway Developer Guide Page 241 "Control Access to an API with IAM Permissions".

Access

The following policy grants full access on how an API is invoked:

arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess

To refine the permissions, see Amazon API Gateway Developer Guide Page 241 "Control Access to an API with IAM Permissions".