Home / How-to Guides
Edit
Report

Discover AWS Gateway APIs in Service Catalog with the Konnect API

Uses: Service Catalog Konnect API
Incompatible with
on-prem
Related Documentation
All Service Catalog Documentation
Tags
#integrations #aws
Related Resources
Service Catalog
Integrations
AWS API Gateway reference
Discover AWS Gateway APIs in Service Catalog with the Konnect UI
Discover and govern APIs with Service Catalog
TL;DR

Install the AWS API Gateway integration in Konnect and authorize access with your Service Catalog role ARN, then link an API to your service.

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'

Konnect roles

You need the Integration Admin role in Konnect to install and authorize Service Catalog integrations.

AWS API Gateway

You need a REST API in AWS API Gateway to ingest and a correctly configured IAM role for this integration. You can name your AWS API Gateway API whatever you’d like. In this tutorial, we’ll refer to your AWS API Gateway API as aws-api.

You can follow the setup instructions in the UI wizard when you add the AWS API Gateway instance or do the following:

If you want to use the AWS console UI, follow the steps in Amazon’s Creating an IAM role (console) documentation. Make sure to select Another AWS account and enter the Account ID (auto gen id here) and select Require external ID and enter the External ID (external id here). Navigate to the role in the console UI and copy the ARN to use in Konnect.

  1. In the AWS console, navigate to the IAM settings.
  2. In the IAM sidebar, click Policies.
  3. Click Create policy.
  4. For the Policy editor settings, click JSON.

  5. In the Policy editor field, enter the following:

    {
    "Version": "2012-10-17",
    "Statement": [
      { "Sid": "ApiGwRead",
        "Effect": "Allow",
        "Action": ["apigateway:GET"],
        "Resource": "*"
      }
    ]
  }
  6. Click Next.
  7. In the Policy name field, enter konnect-service-catalog-permissions.
  8. Click Create policy.
  9. In the IAM sidebar, click Roles.
  10. Click Create role.
  11. For the Trusted entity type, select AWS account.
  12. For the AWS account settings, select Another AWS account.

  13. In the Account ID field, enter 333402130851.

    This is Konnect’s account ID that is used for the IAM role principal.

  14. Select the Require external ID checkbox.
  15. In the External ID field, enter your Konnect organization ID. You can find this by sending a GET request to /organizations/me or in the Konnect UI by navigating to your account in the top right and clicking the copy icon next to your organization name.
  16. Click Next.
  17. From the Permissions policies list, select konnect-service-catalog-permissions.
  18. Click Next.
  19. In the Role name field, enter konnect-service-catalog-integration.
  20. Click Create role.

View the konnect-service-catalog-integration you just created and copy the ARN.

Configure the AWS API Gateway integration

Before you can discover APIs in Service Catalog, you must configure the AWS API Gateway integration.

  1. In the Konnect sidebar, click Service Catalog.
  2. In the Service Catalog sidebar, click Integrations.
  3. Click AWS API Gateway.
  4. Click Add AWS API Gateway instance.
  5. From the AWS region dropdown, select “US East (Ohio)”. If you’re using a different region, select your region from the dropdown.
  6. In the IAM role ARN field, enter the IAM role you configured for Service Catalog.
  7. In the Display name field, enter aws-api-gateway-test.
  8. In the Instance name field, enter aws-api-gateway-test.
  9. Click Save.

Create a service in Service Catalog

Create a service that you’ll map to your AWS API Gateway resources:

 curl -X POST "https://us.api.konghq.com/v1/catalog-services" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "billing",
       "display_name": "Billing Service"
     }'

Export the service ID:

export AWS_SERVICE_ID='YOUR-SERVICE-ID'

List AWS API Gateway resources

Before you can map your AWS API Gateway resources to a service in Service Catalog, you first need to find the resources that are pulled in from AWS API Gateway:

 curl -X GET "https://us.api.konghq.com/v1/resources?filter%5Bintegration.name%5D=aws-api-gateway" \
     -H "Authorization: Bearer $KONNECT_TOKEN"

You might need to manually sync your AWS API Gateway integration for resources to appear. From the Konnect UI by navigating to the AWS API Gateway integration you just installed and selecting Sync Now from the Actions dropdown menu.

Export the resource ID you want to map to the service:

export AWS_RESOURCE_ID='YOUR-RESOURCE-ID'

Map resources to a service

Now, you can map the AWS API Gateway resource to the service:

 curl -X POST "https://us.api.konghq.com/v1/resource-mappings" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "service": "billing",
       "resource": "'$AWS_RESOURCE_ID'"
     }'

Validate the mapping

To confirm that the AWS API Gateway resource is now mapped to the intended service, list the service’s mapped resources:

 curl -X GET "https://us.api.konghq.com/v1/catalog-services/$AWS_SERVICE_ID/resources" \
     -H "Authorization: Bearer $KONNECT_TOKEN"
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support