Working with cross-account private custom domain names - Amazon API Gateway
Best practices for working with cross-account private custom domain names
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with cross-account private custom domain names

This section explains how to work with cross-account private custom domain names. You can provide a private custom domain name to another Amazon Web Services account and use another Amazon Web Services account to invoke a private custom domain name.

You can share your private custom domain name to another Amazon Web Services account using Amazon Resource Access Manager or API Gateway. Amazon Resource Access Manager (Amazon RAM) helps you securely share your resources across Amazon Web Services accounts and within your organization or organizational units (OUs). For more information, see What is Amazon Resource Access Manager.

For instructions on how to share a private custom domain name with another Amazon Web Services account using Amazon RAM, see API provider: Share your private custom domain name using Amazon RAM.

For instructions on how to share a private custom domain name with another Amazon Web Services account using API Gateway, see API provider: Share your private custom domain name using the API Gateway Amazon CLI.

For instructions on how to consume a private custom domain name in another Amazon Web Services account, see API consumer: Associate your VPC endpoint with a private custom domain name shared with you.

Best practices for working with cross-account private custom domain names

We recommend the following best practices for working with cross-account private custom domain names:

  • Use Amazon RAM to share your private custom domain names. When you use Amazon RAM, you can reduce operational overhead and you don't have to create a managementPolicy for the Amazon API Gateway Management service.

  • Use the resource-owner parameter when you list your private custom domain names or domain name access associations. Use the resource-owner parameter to only list the resources owned by you or by other Amazon Web Services accounts.

    The following example shows how to get all domain name access associations that you own:

    aws apigateway get-domain-name-access-associations --resource-owner SELF

    Use --resource-owner OTHER_ACCOUNTS to list all the domain name access associations that other accounts have formed with your private custom domain name.