堆栈内存溢出
  简体   繁体   English

在cloudformation中将对API Gateway端点的访问限制为VPC

[英]Restrict acces to API Gateway endpoint to VPC in cloudformation

 原文  2019-03-14 16:47:00       amazon-web-services/ amazon-cloudformation/ aws-api-gateway/ api-gateway

问题描述

I'm trying to limit access to my API Gateway endpoints to requests from my VPC. 我正在尝试将对我的API网关端点的访问限制为来自我的VPC的请求。 There are examples of API Gateway Resource Policies, and even a Policy property on the RestApi resource, but I can't figure out how to write a policy that needs the API's ID, when the API hasn't been created yet. 有一些API网关资源策略的例子,甚至还有RestApi资源上的Policy属性,但是当我还没有创建API时,我无法弄清楚如何编写需要API ID的策略。 I have an example of my understanding how a stack should look like, based on the AWS documentation: 基于AWS文档,我有一个了解堆栈应该如何的示例: 

MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
  Name: My Great API
  Policy:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal: '*'
        Action: execute-api:Invoke
        Resource:
          Fn::Join:
            - - ''
              - 'arn:aws:execute-api:'
              - Ref: region
              - ':'
              - Ref: accountId
              - ':'
              - Ref: MyRestApi
      - Effect: Deny
        Principal: '*'
        Action: execute-api:Invoke
        Resource:
          Fn::Join:
            - - ''
              - 'arn:aws:execute-api:'
              - Ref: Region
              - ':'
              - Ref: AccountId
              - ':'
              - Ref: MyRestApi
        Condition:
          StringNotEquals:
            "aws:SourceVpc":
              Ref: VpcId

The crux is that I can't reference MyRestApi in the policy when it's still being created. 关键在于,当它仍然被创建时,我无法在策略中引用MyRestApi I'm sure I'm not the only one that wants to do this ... I'd rather think this is a common problem, so there is very likely an answer already I haven't found yet. 我确信我不是唯一一个想要这样做的人......我宁愿认为这是一个常见的问题,所以我很可能还没有找到答案。

Thanks for any help, 谢谢你的帮助,

Stefan 斯特凡

PS: The documentation I used was https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy and https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html PS:我使用的文档是https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policyhttps:// docs .aws.amazon.com / apigateway /最新/ developerguide / apigateway资源的政策,examples.html

1 个解决方案

解决方案1
 2  2019-03-16 01:22:23

According to AWS documentation the policy supports a special syntax for Resource due to this problem. 根据AWS文档 ,由于此问题,该策略支持Resource的特殊语法。 

   "Resource": [
     "execute-api:/stage/method/path"
   ]

In the comments, they call it: 在评论中,他们称之为:

// simplified format supported here because apiId is not known yet and partition/region/account can derived at import time //这里支持简化格式,因为apiId尚未知道,分区/区域/帐户可以在导入时导出

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过VPC端点的AWS私有API网关 - AWS private API Gateway through VPC Endpoint API Gateway 如何与 Firehose VPC 端点通信 - How API Gateway talk to Firehose VPC endpoint AWS Cloudformation - 如何将 vpc 链接/NLB 附加到 api 网关中的方法? - AWS Cloudformation - How to attach vpc link / NLB to method in api gateway? 如何通过CloudFormation附加VPC链接以获取API网关中的方法 - How to attach vpc link to get method in api gateway via cloudformation 在 aws api 网关 cloudformation 中提供 vpc 端点 - providing vpc end point in aws api gateway cloudformation Cloudformation 中的 VPC 端点 - 端点类型(网关)与可用服务类型不匹配([接口]) - VPC endpoint in Cloudformation - Endpoint type (Gateway) does not match available service types ([Interface]) 我可以在VPC中将HTTP端点指定为AWS API Gateway中的资源吗? - Can I specify HTTP endpoint in a VPC as resource in AWS API Gateway? AWS API 网关配置来自不同区域的 vpc 端点 ID - AWS API gateway configure vpc endpoint id from different region 如果创建了 VPC 终端节点,则无法访问公共 AWS API 网关终端节点 - Unable to hit public AWS API gateway endpoints if a VPC Endpoint is created API 网关允许来自 VPC 端点或源的请求 IP? - API Gateway to allow requests from both a VPC Endpoint OR Source IP?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM