API Gateway
Quick Reference
# List REST APIs (v1)
aws apigateway get-rest-apis --query 'items[].[name,id]' --output table
# List HTTP APIs (v2)
aws apigatewayv2 get-apis --query 'Items[].[Name,ApiId,ApiEndpoint]' --output table
# Get API details
aws apigateway get-rest-api --rest-api-id 9ok9ywt6u5
# List resources/routes for a REST API
aws apigateway get-resources --rest-api-id 9ok9ywt6u5 --query 'items[].[path,id]' --output table
# List routes for HTTP API
aws apigatewayv2 get-routes --api-id {api-id} --query 'Items[].[RouteKey]' --output table
Invoking with IAM Auth (Control Plane Gateway)
The control plane gateway uses IAM auth. Requires aws-requests-auth:
python3 -c "
import requests, json
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth
host = '9ok9ywt6u5.execute-api.us-east-1.amazonaws.com'
auth = BotoAWSRequestsAuth(aws_host=host, aws_region='us-east-1', aws_service='execute-api')
resp = requests.post(f'https://{host}/prod/v2/indexes/list', auth=auth,
json={'systemAccountId': 'fnqm9psx'})
print(json.dumps(resp.json(), indent=2))
"
Key Gateways
| Gateway |
Type |
Purpose |
Auth |
| Control Plane Gateway |
REST (v1) |
Data plane cell operations |
IAM |
| Console API |
REST (v1) |
Console frontend + monolith proxy |
Custom authorizer |
| Ecom API |
HTTP (v2) |
Ecommerce API (Shopify etc.) |
Lambda authorizer |
| Admin Internal API |
HTTP (v2) |
Admin dashboard backend |
JWT (Cloudflare Access) |
Data Plane Cell Gateways
Cell config is in infra/*/config/{env}.json under data_plane_cells:
| Cell |
Gateway ID |
Account |
Region |
| S (staging) |
9ok9ywt6u5 |
468036072962 |
us-east-1 |
| PP (preprod) |
me25xyukr9 |
010928202142 |
us-east-1 |
| P1 (prod) |
m6j1teqnte |
023568249301 |
us-east-1 |
Endpoint pattern: https://{gateway_id}.execute-api.{region}.amazonaws.com/prod{path}
Key Endpoints
| Method |
Path |
Body |
Description |
| POST |
/v2/indexes/list |
{"systemAccountId": "..."} |
List indexes for a system account |
| POST |
/account/key/validate |
{"key": "..."} |
Validate an API key |
What to Look For
| Symptom |
Check |
| 5XX errors |
CloudWatch metrics: 5XXError for the API |
| 4XX errors |
CloudWatch metrics: 4XXError, check WAF logs |
| Latency |
CloudWatch metrics: Latency, IntegrationLatency |
| Auth failures |
Check authorizer Lambda logs (if custom) |
| Rate limiting |
WAF WebACL logs (2000 req/5min per IP/API key) |