
Amazon API Gateway
Amazon Web Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Integrates with Amazon API Gateway to inventory the API
endpoints published across the configured AWS accounts and regions. API Gateway hosts two distinct
API families that are exposed through separate control-plane APIs, so the connector synchronizes two
models: REST APIs (API Gateway v1) and HTTP / WebSocket APIs (API Gateway v2). For each API
the connector also enumerates its methods (REST) or routes (HTTP), records their authorization types,
and derives whether the API exposes any unauthenticated (NONE-auth) surface, which drives
public-exposure analysis. Both models are emitted to the UDM ApiEndpoint target.
Data retrieved from Amazon API Gateway
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| ApiGatewayRestApi | Yes | Api Endpoint |
| ApiGatewayHttpApi | Yes | Api Endpoint |
For detailed steps on how to view the data retrieved from Amazon API Gateway in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Amazon API Gateway from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Access key ID | No | — | AWS user access key ID, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Secret access key | No | — | AWS user secret access key, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Default region | No | us-east-1 | Default AWS region, if not specified, the connector consults the default region provider chain to try and determine the region to use. |
| Assume role | No | — | Amazon Resource Name for the role to assume. |
| Session duration | No | — | Assume role session duration in seconds. |
| Page size | No | 100 | The maximum number of results to retrieve per operation. |
Authentication
Authentication is shared across the AWS connector bundle via the AwsConfiguration base class. The
API Gateway sub-connector uses the AWS SDK for Java v2 ApiGatewayClient (v1) and
ApiGatewayV2Client (v2), which sign every request with AWS SigV4 using credentials resolved through
the following chain (in order):
- STS AssumeRole — if
assumeRoleARNis configured, the connector assumes that role (using the credentials below as the principal) and uses the resulting temporary session credentials. - Static access keys — if
accessKey/secretKeyare configured, they are used directly. - Default credentials provider chain — environment variables,
~/.aws/credentials, container role, or EC2 instance metadata.
Assumed-role sessions use the configurable sessionDuration (default 900 s) with a unique session
name per sync. assumeRoleARN may be a comma-separated list to sync multiple accounts in one run. A
client is constructed per role per region and closed once that region has been fully synced.
Required AWS API permissions
| Permission | Purpose |
|---|---|
apigateway:GET | Read REST APIs and their resources/methods (GetRestApis, GetResources with embed=methods) and HTTP/WebSocket APIs and their routes (GetApis, GetRoutes). API Gateway maps all these read operations to the HTTP-verb IAM action apigateway:GET. |
sts:AssumeRole | Only when assumeRoleARN is set. |
How to obtain Amazon API Gateway credentials
Create an IAM user for AWS access
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
The IAM user or role must have the following permissions:
apigateway:GET
apigatewayv2:GET
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
ApiGatewayRestApi
| Source Field Name | SDM Attribute |
|---|---|
Collected from GetResources (embed=methods): each entry is <httpMethod> <resource.path>:<authorizationType> (auth type ? when unknown). | Methods (multivalued) |
| constant AWS | Cloud provider |
Derived: true if any Methods entry ends with :NONE, otherwise false. | Has public (NONE-auth) method |
region + : + RestApi.id | UID |
| region being synced | Region |
RestApi.createdDate | First seen |
RestApi.description | Description |
RestApi.disableExecuteApiEndpoint | Disable execute-api endpoint |
RestApi.endpointConfiguration().typesAsStrings() | Endpoint types (multivalued) |
RestApi.id | API ID |
RestApi.name | API name |
RestApi.name (falls back to RestApi.id) | Name |
RestApi.policy | Resource policy |
RestApi.tags rendered as key:value | Tags (multivalued) |
RestApi.version | Version |
| sync timestamp | Last captured |
ApiGatewayHttpApi
| Source Field Name | SDM Attribute |
|---|---|
Api.apiEndpoint | URL |
Api.apiId | API ID |
Api.createdDate | First seen |
Api.description | Description |
Api.disableExecuteApiEndpoint | Disable execute-api endpoint |
Api.name | API name |
Api.name (falls back to Api.apiId) | Name |
Api.protocolTypeAsString() | Protocol type |
Api.tags rendered as key:value | Tags (multivalued) |
Api.version | Version |
| Collected from GetRoutes: each entry is <routeKey | Routes (multivalued) |
| constant AWS | Cloud provider |
Derived: true if any Routes entry ends with :NONE, otherwise false. | Has public (NONE-auth) route |
region + : + Api.apiId | UID |
| region being synced | Region |
| sync timestamp | Last captured |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
ApiGatewayRestApi
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Resolved from configuration / default region provider chain | |
pageSize | Page size (limit) for GetRestApis and GetResources. | Shared pageSize configuration (100) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
ApiGatewayClient, API Gateway v1) · Endpoint:apigateway:GetRestApis
ApiGatewayHttpApi
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Resolved from configuration / default region provider chain | |
pageSize | Page size (maxResults) for GetApis and GetRoutes. | Shared pageSize configuration (100) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
ApiGatewayV2Client, API Gateway v2) · Endpoint:apigatewayv2:GetApis
Changelog
The Amazon API Gateway connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.0 | New Features - New connector — syncs REST APIs (v1) and HTTP APIs (v2) with per-method/route auth visibility, including a derived flag identifying unauthenticated public endpoints ( AuthType=NONE routes). Improvements - Sync failures are now visible. Previously, certain AWS API errors (throttling, server errors, transient network failures, validation errors) could be silently swallowed during multi-region sync, producing empty results without indicating a problem. These now surface as sync failures with a clear log entry detailing the HTTP status, AWS error code, request id, and service name. Per-region permission gaps (HTTP 401 / 403) still allow the sync to continue across other regions, but are now visible in logs. | N/A |