This directory contains working examples for interacting with the GCO API Gateway using various tools and programming languages.
- Overview
- Available Examples
- Getting Started
- API Endpoints
- Authentication Errors
- Troubleshooting
- Best Practices
- Additional Resources
The GCO API Gateway requires AWS IAM authentication using AWS Signature Version 4 (SigV4). All requests must be signed with valid AWS credentials that have the appropriate execute-api:Invoke permissions.
Recommended for production use
A complete Python example using boto3 and the aws-requests-auth library to automatically sign requests.
Requirements:
pip install boto3 requests aws-requests-authUsage:
python python_boto3_example.pyFeatures:
- Automatically retrieves API Gateway endpoint from CloudFormation
- Uses your AWS credentials (from environment, ~/.aws/credentials, or IAM role)
- Supports temporary credentials (STS, IAM roles)
- Includes examples for all operations: submit, get, list, delete
When to use:
- Production applications
- CI/CD pipelines
- Automated workflows
- When you need programmatic access
Examples using AWS CLI and curl with manual SigV4 signing.
Requirements:
# AWS CLI v2
brew install awscli
# jq for JSON processing
brew install jqUsage:
./aws_cli_examples.shFeatures:
- Shows how to get API Gateway endpoint from CloudFormation
- Demonstrates curl command structure
- Includes IAM permission checking
- Useful for understanding the API structure
When to use:
- Quick testing and debugging
- Learning how the API works
- Checking IAM permissions
- One-off manual operations
Recommended for testing and development
Uses aws-sigv4-proxy to automatically sign curl requests with AWS SigV4.
Requirements:
# macOS
brew install aws-sigv4-proxy
# Linux - download from GitHub
wget https://github.com/awslabs/aws-sigv4-proxy/releases/latest/download/aws-sigv4-proxy-linux-amd64
chmod +x aws-sigv4-proxy-linux-amd64
sudo mv aws-sigv4-proxy-linux-amd64 /usr/local/bin/aws-sigv4-proxyUsage:
./curl_sigv4_proxy_example.shFeatures:
- Automatically starts and manages aws-sigv4-proxy
- Uses familiar curl syntax
- Interactive examples with all operations
- Shows authentication failure scenarios
When to use:
- Manual testing during development
- Debugging API issues
- When you prefer curl over Python
- Quick ad-hoc requests
# Check your current AWS identity
aws sts get-caller-identity
# Configure credentials if needed
aws configureYour IAM user or role needs the execute-api:Invoke permission. See ../iam-policies/ for example policies.
# Check if you have the required permissions
aws iam simulate-principal-policy \
--policy-source-arn $(aws sts get-caller-identity --query Arn --output text) \
--action-names execute-api:Invoke \
--resource-arns "arn:aws:execute-api:*:*:*"# From CloudFormation (replace with your region)
aws cloudformation describe-stacks \
--stack-name gco-regional-us-east-1 \
--query 'Stacks[0].Outputs[?OutputKey==`ApiGatewayEndpoint`].OutputValue' \
--output text# Python example (recommended)
python python_boto3_example.py
# Or curl with aws-sigv4-proxy
./curl_sigv4_proxy_example.shAll endpoints require AWS SigV4 authentication.
Submit a new Kubernetes manifest
Request:
{
"manifest": {
"apiVersion": "batch/v1",
"kind": "Job",
"metadata": {"name": "my-job"},
"spec": {...}
},
"namespace": "gco-jobs"
}Response (200):
{
"status": "success",
"message": "Manifest submitted successfully",
"resource": {...}
}List all submitted manifests
Response (200):
{
"manifests": [...]
}Get status of a specific manifest
Response (200):
{
"status": "success",
"manifest": {...}
}Delete a specific manifest
Response (200):
{
"status": "success",
"message": "Manifest deleted successfully"
}Cause: Request is not signed with AWS SigV4
Solution: Use one of the provided examples that automatically signs requests
Cause: Request signature is incorrect or credentials are invalid
Solution:
- Verify your AWS credentials are valid:
aws sts get-caller-identity - Check that your system clock is synchronized (SigV4 is time-sensitive)
- Ensure you're using the correct region
Cause: Your IAM user/role lacks execute-api:Invoke permission
Solution:
- Attach the appropriate IAM policy (see
../iam-policies/) - Verify permissions:
aws iam get-user-policy --user-name YOUR_USER --policy-name POLICY_NAME
The CloudFormation stack may not be deployed yet, or the output name is different.
# List all outputs
aws cloudformation describe-stacks \
--stack-name gco-regional-us-east-1 \
--query 'Stacks[0].Outputs'The proxy may not be running or port 8080 is in use.
# Check if port is in use
lsof -i :8080
# Start proxy manually
aws-sigv4-proxy --name execute-api --region us-east-1 --port 8080Install the required Python package:
pip install aws-requests-auth- Check VPC Link health status
- Verify NLB target health
- Check CloudWatch Logs for API Gateway execution logs
- Ensure Kubernetes pods are running and healthy
- Use Python boto3 for production: Most reliable and maintainable
- Use aws-sigv4-proxy for testing: Quick and easy for manual testing
- Store credentials securely: Use IAM roles instead of access keys when possible
- Enable CloudWatch logging: Monitor API Gateway access logs for debugging
- Handle errors gracefully: Implement retry logic with exponential backoff
- Use temporary credentials: Prefer STS temporary credentials over long-lived access keys
- AWS Signature Version 4 Documentation
- API Gateway IAM Authentication
- aws-sigv4-proxy GitHub
- IAM Policy Examples
For issues or questions:
- Check CloudWatch Logs for API Gateway execution logs
- Verify IAM permissions using
aws iam simulate-principal-policy - Test with the curl example to isolate client vs. server issues
- Review the main README for migration guides and troubleshooting