stackoom
  简体   繁体   中英

Restricted IAM policy for DELETE action on API Gateway Deployment resource

 原文  2022-12-13 11:11:22       amazon-web-services/ amazon-iam

Question

I had created a serverless user with necessary permissions to create and deploy AWS lambda function along with API Gateway.

However when I change a piece of code and do serverless deploy on it gives the error:

Error:
DELETE_FAILED:... "User: arn:aws:iam::XXXXXXXXXXX:user/serverless is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:us-east-1::/restapis/1zhmt1r45r2/deployments/27gb11 because no identity-based policy allows the apigateway:DELETE action (Service: ApiGateway, Status Code: 403...

Now I can go ahead and add DELETE action permission on apigateway resource. But giving permission to delete any apigateway respource on a production environment is way too risky. What I want is to restrict what this serverless/progammatic user can delete (Only the apis created by the itself, or prefix on resource name).

I have created policies to only allow serverless-user to create resources with specific prefix , but since this error shows error on resource arn:aws:apigateway:us-east-1::/restapis/1zhmt1r45r2/deployments/27gb11 where it is using ids ( 1zhmt1r45r2/deployments/27gb11 ). I can't think of a way to effectively restrict what this user can delete.

Is there any work-around? I need to figure this out quite urgently.

1 answers

solution1
 0  2023-01-02 18:21:05

I'm not sure what you really want to achieve whithout having more details, but the error you have is telling you need to grant apigateway:DELETE permission to your lambda function using a policy that is restricted only to your lambda function. The easiest way to do this is specifying it in a SAM template. This way you can implement your IaC (Infrastructure as code) without manual process and allows you to automate the process for redeployments and adding the template to source control. The following example defines a lambda function which needs apigateway:DELETE permission

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
role/AmazonAPIGatewayPushToCloudWatchLogs"
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
  CreateLedger:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: CreateLedgerFunction
      Handler: QLDB.API.Config.Lambda::QLDB.API.Config.Lambda.Functions.CreateLedger.CreateLedgerFunction::FunctionHandler
      Runtime: dotnetcore3.1
      Timeout: 30
      CodeUri: .
      Policies:
        - Statement:
          - Sid: QLDBCreateLedgerCommandPolicy
            Effect: Allow
            Action:
              - apigateway:DELETE #<----- specify the permissions
            Resource: '*'
      Events:
        CreateLedger:
          Type: Api
          Properties:
            Path: /createLedger
            Method: post
            RestApiId:
              Ref: ApiGatewayApi

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question API Gateway Authorizer - IAM policy not caching IAM Permissions issue in API Gateway Deployment AWS Resource policy on API Gateway Adding a resource based policy vs IAM policy How to create API Gateway Resource Policy that references itself in the Python CDK? How attach a GCP IAM policy to a resource with gcloud command tool? Is that possible to delete a managed policy in AWS IAM from my account? How to create indetity-based policy policy allows the iam:CreateRole action AWS IAM Policy validation through dry-run API calls Dynamic IAM Policy for DynamoDB
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM