How to access API Gateway endpoint from another account?

Question

I've an API that should only be accessed from another AWS account. I've followed some AWS documentation and this is what I've done:

• Created an internal NLB in front of an ASG. All these are in a private subnet.
• Created an API Gateway that connects to the NLB using a VPC Link.
• Created a Custom Domain Name (via Route53) and set a certificate using ACM.
• The resources use AWS_IAM as authorisation.
• The resource policy grants the other account authorisation to the resource.
• In the authorised account, I've created an EC2 instance and associated an IAM role with full access to the API Gateway.

When I try to connect signing the requests (using this), it works just fine. But the the request signing requires the AWS access key and secret key. This doesn't sound right to me. What am I doing wrong? Is there another way of doing this without the credentials?

Cheers.

Answer 1

When required to provide the access key and secret key, I suppose you need to install the authorising app called Postman (please check out this doc：https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html).

Also, in your step 5, I think if you want to access the api gateway endpoint from an ec2, you have to firstly create a Role within that ec2 account, and then attach the Role to that ec2, finally grant the Role with api gateway permission in your current account.