API Gateway ARN — REST and HTTP API Identification
Parse an API Gateway ARN to understand the different formats for REST APIs, HTTP APIs, stages, and execution ARNs used in IAM authorization.
Detailed Explanation
API Gateway ARN Formats
API Gateway has multiple ARN formats depending on whether you are referencing the API resource itself or its execution endpoint for IAM authorization.
REST API ARN
arn:aws:apigateway:us-east-1::/restapis/abc123def4
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | apigateway |
| Region | us-east-1 |
| Account ID | (empty) |
| Resource Type | (none) |
| Resource ID | /restapis/abc123def4 |
Empty Account ID
API Gateway management ARNs have an empty account ID field. This is unusual — most regional services include the account ID. The reason is historical: API Gateway resources are identified by their API ID, which is unique within a region.
Execution ARNs for IAM Authorization
When using IAM authorization on API Gateway, the execution ARN follows a different pattern:
arn:aws:execute-api:us-east-1:123456789012:abc123def4/prod/GET/users
Note the service is execute-api (not apigateway), and the account ID is present. The resource path includes the API ID, stage name, HTTP method, and resource path.
Wildcard Patterns for Execution ARNs
IAM policies commonly use wildcards in execution ARNs:
- All methods on all resources:
arn:aws:execute-api:us-east-1:123456789012:abc123def4/prod/*/* - All stages:
arn:aws:execute-api:us-east-1:123456789012:abc123def4/*
HTTP API vs. REST API
HTTP APIs (API Gateway v2) use a similar execution ARN format but the management API ARNs reference /apis/ instead of /restapis/.
Use Case
Configuring IAM policies for API clients that need to invoke specific API Gateway endpoints. Execution ARNs are used in custom authorizer Lambda functions to generate IAM policy documents that grant or deny access to specific API routes.