Recently AWS announced that Amazon API Gateway Supports Resource Policies for APIs
Is it possible to attach a resource policy to a AWS::Serverless::Api created via Cloudformation with SAM?
I haven't had the chance to try this yet but I assume you can use it like you would use an S3 Bucket Policy. The trickiest part for you would be to grab the api-id
to be able to use in the Resource
ARN(s).
So, in your template you would have a piece that contains similar YAML (or JSON). This would allow <some user>
to use the API
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::<account-id>:user/<some user>
- account-id
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Note that the execute-api:/*/*/*
gets converted automatically during deployment to something that looks like arn:aws:execute-api:<region>:<account-id>:<api-id>/*/*/*
This approach should work just like bucket policies and this is how you apply a policy to a Bucket.
Good luck!
Quick note about getting <api-id>
- you can use simplified format, like "execute-api:/<stage>/GET/pets"
Source: AWS::Serverless::Api Resource Policy with Cloudformation SAM
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.