We have a NodeJS lambda project in CodeStar. We have gotten it to work, and we have secured the API with an API key.
Is it possible to add a Resource Policy for the API in the CloudFormation template? So we don't have to add a Resource Policy in the web console every time we create a new project/API.
We have tried but haven't gotten it to work, and we can't find any documentation.
Thanks!
Doc is here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html
and it should look something like this
Type: AWS::ApiGateway::RestApi Properties: ApiKeySourceType: String BinaryMediaTypes: - String Body: JSON object BodyS3Location: S3Location CloneFrom: String Description: String EndpointConfiguration: EndpointConfiguration FailOnWarnings: Boolean MinimumCompressionSize: Integer Name: String Parameters: String: String Policy: JSON object
A complete example for a private API Gateway with resource policy included (in this case only access from a previously defined VPC endpoint is allowed) can be found below.
InterfaceEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api'
PrivateDnsEnabled: true
VpcId: !Ref VPC
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref InterfaceSecurityGroup
privateApiGateway:
Type: AWS::ApiGateway::RestApi
Properties:
Description: Private API Gateway
EndpointConfiguration:
Types:
- PRIVATE
VpcEndpointIds:
- !Ref InterfaceEndpoint
Name: privateApi
Policy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*
- Effect: Deny
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*
Condition:
StringNotEquals:
aws:SourceVpce: !Ref InterfaceEndpoint
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.