How can I find the arn of an api gateway stage?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Finding the ARN for an API Gateway stage is one of those AWS tasks where the answer depends on what you mean by “stage ARN.” API Gateway uses more than one ARN format, and the correct one depends on whether you are referring to the management resource itself or to the invoke-style ARN used in IAM and Lambda permissions.
The safest approach is to identify which API type you have, collect the API ID and stage name, and then build the ARN in the format required by your use case.
Know Which ARN You Need
There are two common stage-related ARN patterns:
- the API Gateway management ARN for the stage resource itself
- the
execute-apiARN used when you refer to invoked routes or methods
For a REST API stage resource, AWS documents the stage ARN in this form:
For an HTTP API or WebSocket API stage resource, the documented form is:
If you are writing an IAM policy or Lambda permission for invocation, you will often need an execute-api ARN instead, such as:
That distinction is the source of most confusion.
Get the API ID and Stage Name
You can find both values in the AWS console, but the AWS CLI is often faster and less error-prone.
For a REST API:
For an HTTP API:
Once you know the api-id and the stage-name, the ARN is usually just string construction.
Build the Stage Resource ARN
If the question is specifically about the stage as an API Gateway resource, build the management ARN directly.
Example for a REST API stage named prod in us-east-1:
Example for an HTTP API stage named dev:
Notice that these management ARNs do not include your AWS account ID in the same way execute-api ARNs do.
Build the Invoke ARN When Permissions Need It
A lot of people ask for the “stage ARN” when what they really need is the invoke ARN used in policies or lambda add-permission.
For a REST API or HTTP API invocation pattern, that usually looks like this:
You can widen it with wildcards when appropriate:
That form is commonly used when granting API Gateway permission to invoke a Lambda function or when restricting who can call particular routes.
A Small Shell Helper
If you already know the values, building the ARN is trivial.
For an invoke ARN:
Use the Console if You Prefer Visual Confirmation
In the API Gateway console, open the API, go to the stage list, and note the stage name and API ID from the dashboard or URL. The console is fine for one-off lookups, but the CLI is better when you want repeatable infrastructure documentation or scripting around deployments.
Common Pitfalls
The biggest mistake is mixing up the management ARN and the invoke ARN. They are both valid, but they serve different purposes.
Another issue is using the wrong service namespace. The stage resource itself uses the apigateway namespace, while route invocation permissions typically use execute-api.
People also sometimes forget whether the API is REST or HTTP API. The management ARN path differs: REST APIs use /restapis/..., while HTTP APIs use /apis/....
Finally, avoid guessing the account ID part for invoke ARNs. Pull it from AWS CLI with aws sts get-caller-identity if you are not sure.
Summary
- “Stage ARN” can mean either the API Gateway stage resource ARN or an
execute-apiinvoke ARN. - For REST API stage resources, use
arn:aws:apigateway:region::/restapis/api-id/stages/stage-name. - For HTTP API stage resources, use
arn:aws:apigateway:region::/apis/api-id/stages/stage-name. - For invoke permissions, use the
arn:aws:execute-api:...pattern instead. - Use the AWS CLI to fetch the
api-idandstage-namebefore constructing the ARN.
