stackoom
  简体   繁体   中英

Creating an aws_api_gateway_account resource returns AccessDeniedException

 原文  2020-09-21 20:37:55       terraform/ aws-api-gateway/ terraform-provider-aws

Question

In my terraform script I have the following resource -

resource "aws_api_gateway_account" "demo" {
  cloudwatch_role_arn = var.apigw_cloudwatch_role_arn
}

In the Apply stage, I see the following error -

2020/09/21 20:20:48 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: Updating API Gateway Account failed: AccessDeniedException: 
    status code: 403, request id: abb0662e-ead2-4d95-b987-7d889088a5ef

Is there a specific permission that needs to be attached to the role in order to get rid of this error?

3 answers

solution1
 5  2021-07-15 04:28:15

Ran into the same problem as @bdev03, took me 2 days to identify the missing permission is "iam:PassRole", be so good if terraform is able to point that out, hope this helps.

solution2
 0  2023-02-01 16:29:31

Since neither this thread (so far) nor the official documentation is doing a very good job at solving this problem... The minimal policies required for this action are:

{
  "Sid": "AllowPassingTheRoleToApiGateway",
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "iam:PassedToService": ["apigateway.amazonaws.com"]
    }
  }
}

{
  "Sid": "AllowAPIGatewayUpdate",
  "Effect": "Allow",
  "Action": [
      "apigateway:UpdateRestApiPolicy",
      "apigateway:PATCH",
      "apigateway:GET"
  ],
  "Resource": "*"
}

solution3
 -1 ACCPTED  2020-09-22 12:32:17

I haven't tested, but I believe the role needs what's shown below. See more context at the source: "To enable CloudWatch Logs" section at https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html

For common application scenarios, the IAM role could attach the managed policy of AmazonAPIGatewayPushToCloudWatchLogs, which contains the following access policy statement:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "*" } ] }

The IAM role must also contain the following trust relationship statement:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Resource policy on API Gateway "Enable CORS" in AWS API Gateway resource? AWS API Gateway - Issues in setting up cross-account access How to migrate an API Gateway with a custom domain name to another AWS account? AWS API Gateway OPTIONS requests returns 500 error AWS API gateway returns 403 for some and 200 for others AWS API Gateway: User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api: AWS API Gateway Slowness AWS API Gateway Websocket UnknownError AWS Lambda function URL returns a different content-length value compared to API Gateway
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM