AWS Api Gateway attach existing policy

Question

Normally if I want to create a private AWS::ApiGateway::RestApi with policy only allowing VPC traffic to invoke any resources on the API I'd do something like so:

"ApiGatewayRestApi": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "Name": "api-foo-bar",
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Policy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": [
                "execute-api:Invoke"
              ],
              "Resource": "execute-api:/*",
              "Condition": {
                "StringEquals": {
                  "aws:SourceVpc": "vpc-000000000000"
                }
              }
            }
          ]
        }
      }
    }

I have been asked if we can create a policy and then reuse it for different Api Gateways we may create? something amongst the lines:

"ApiGatewayRestApi": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "Name": "api-foo-bar",
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Policy": "arn:aws:*whatever*"
      }
    },

And I have no idea. Nor can I find any documentation or examples showing that? Has anyone done this? Is it at all doable: Thanks :)

Answer 1

No, it's not doable currently. The policy you are attaching to the Api Gateway is Resource-based policy.

From aws documentation,

With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

Aws documentation shows the type that each property in cloudformation can take. The following is the properties and the types allowed in "AWS::ApiGateway::RestApi"

{
  "Type" : "AWS::ApiGateway::RestApi",
  "Properties" : {
      "ApiKeySourceType" : String,
      "BinaryMediaTypes" : [ String, ... ],
      "Body" : Json,
      "BodyS3Location" : S3Location,
      "CloneFrom" : String,
      "Description" : String,
      "DisableExecuteApiEndpoint" : Boolean,
      "EndpointConfiguration" : EndpointConfiguration,
      "FailOnWarnings" : Boolean,
      "MinimumCompressionSize" : Integer,
      "Mode" : String,
      "Name" : String,
      "Parameters" : {Key : Value, ...},
      "Policy" : Json,
      "Tags" : [ Tag, ... ]
    }
}

Notice that Policy property takes the type of JSON. Furthermore, the documentation writes the following for the Policy property:

A policy document that contains the permissions for the RestApi resource.

and gives us a hint that Policy property does not take the following form: "Policy": "arn:aws:*whatever*" and only accepts a policy document in the form of JSON as Api Gateway's resource-based policy.

ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

Answer 2

you can find the docs here .

Policy
A policy document that contains the permissions for the RestApi resource. To set the ARN for the policy, use the !Join intrinsic function with "" as delimiter and values of "execute-api:/" and "*".