stackoom
  简体   繁体   中英

Add resource policy for API in CloudFormation template?

 原文  2018-10-22 09:40:56       amazon-cloudformation

Question

We have a NodeJS lambda project in CodeStar. We have gotten it to work, and we have secured the API with an API key.

Is it possible to add a Resource Policy for the API in the CloudFormation template? So we don't have to add a Resource Policy in the web console every time we create a new project/API.

We have tried but haven't gotten it to work, and we can't find any documentation.

Thanks!

2 answers

solution1
 0  2019-02-07 20:56:37

Doc is here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html

and it should look something like this

Type: AWS::ApiGateway::RestApi Properties: ApiKeySourceType: String BinaryMediaTypes: - String Body: JSON object BodyS3Location: S3Location CloneFrom: String Description: String EndpointConfiguration: EndpointConfiguration FailOnWarnings: Boolean MinimumCompressionSize: Integer Name: String Parameters: String: String Policy: JSON object

solution2
 0  2022-10-05 17:37:59

A complete example for a private API Gateway with resource policy included (in this case only access from a previously defined VPC endpoint is allowed) can be found below.

InterfaceEndpoint:
  Type: 'AWS::EC2::VPCEndpoint'
  Properties:
    VpcEndpointType: Interface
    ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api'
    PrivateDnsEnabled: true
    VpcId: !Ref VPC
    SubnetIds: 
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2
    SecurityGroupIds:
      - !Ref InterfaceSecurityGroup

privateApiGateway:
  Type: AWS::ApiGateway::RestApi
  Properties:
    Description: Private API Gateway
    EndpointConfiguration:
      Types:
        - PRIVATE
      VpcEndpointIds:
        - !Ref InterfaceEndpoint
    Name: privateApi
    Policy:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal: "*"
          Action: execute-api:Invoke
          Resource:
            - execute-api:/*
        - Effect: Deny
          Principal: "*"
          Action: execute-api:Invoke
          Resource:
            - execute-api:/*
          Condition:
            StringNotEquals:
              aws:SourceVpce: !Ref InterfaceEndpoint

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add an AWS::ApiGateway::Resource to an AWS::Serverless::Api in CloudFormation template AWS::Serverless::Api Resource Policy with Cloudformation SAM AWS Cloudformation IAM Policy with Resource Renaming Resource in CloudFormation Template how to add api gateway ( with api key) to an exiting lambda cloudformation template? How to define Resource Policy for CloudWatch Logs with CloudFormation? Pause resource creation in CloudFormation template Cloudformation unable to create resource policy for apigateway How to write Resource-based policy in Cloudformation AWS Cloudformation Error: Policy has invalid resource
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM