[英]Restrict acces to API Gateway endpoint to VPC in cloudformation
I'm trying to limit access to my API Gateway endpoints to requests from my VPC. 我正在尝试将对我的API网关端点的访问限制为来自我的VPC的请求。 There are examples of API Gateway Resource Policies, and even a Policy property on the RestApi resource, but I can't figure out how to write a policy that needs the API's ID, when the API hasn't been created yet.
有一些API网关资源策略的例子,甚至还有RestApi资源上的Policy属性,但是当我还没有创建API时,我无法弄清楚如何编写需要API ID的策略。 I have an example of my understanding how a stack should look like, based on the AWS documentation:
基于AWS文档,我有一个了解堆栈应该如何的示例:
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: My Great API
Policy:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action: execute-api:Invoke
Resource:
Fn::Join:
- - ''
- 'arn:aws:execute-api:'
- Ref: region
- ':'
- Ref: accountId
- ':'
- Ref: MyRestApi
- Effect: Deny
Principal: '*'
Action: execute-api:Invoke
Resource:
Fn::Join:
- - ''
- 'arn:aws:execute-api:'
- Ref: Region
- ':'
- Ref: AccountId
- ':'
- Ref: MyRestApi
Condition:
StringNotEquals:
"aws:SourceVpc":
Ref: VpcId
The crux is that I can't reference MyRestApi in the policy when it's still being created. 关键在于,当它仍然被创建时,我无法在策略中引用MyRestApi 。 I'm sure I'm not the only one that wants to do this ... I'd rather think this is a common problem, so there is very likely an answer already I haven't found yet.
我确信我不是唯一一个想要这样做的人......我宁愿认为这是一个常见的问题,所以我很可能还没有找到答案。
Thanks for any help, 谢谢你的帮助,
Stefan 斯特凡
PS: The documentation I used was https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy and https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html PS:我使用的文档是https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy和https:// docs .aws.amazon.com / apigateway /最新/ developerguide / apigateway资源的政策,examples.html
According to AWS documentation the policy supports a special syntax for Resource
due to this problem. 根据AWS文档 ,由于此问题,该策略支持
Resource
的特殊语法。
"Resource": [
"execute-api:/stage/method/path"
]
In the comments, they call it: 在评论中,他们称之为:
// simplified format supported here because apiId is not known yet and partition/region/account can derived at import time
//这里支持简化格式,因为apiId尚未知道,分区/区域/帐户可以在导入时导出
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.