I had created a serverless user with necessary permissions to create and deploy AWS lambda function along with API Gateway.
However when I change a piece of code and do serverless deploy
on it gives the error:
Error:
DELETE_FAILED:... "User: arn:aws:iam::XXXXXXXXXXX:user/serverless is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:us-east-1::/restapis/1zhmt1r45r2/deployments/27gb11 because no identity-based policy allows the apigateway:DELETE action (Service: ApiGateway, Status Code: 403...
Now I can go ahead and add DELETE action permission on apigateway resource. But giving permission to delete any apigateway respource on a production environment is way too risky. What I want is to restrict what this serverless/progammatic user can delete (Only the apis created by the itself, or prefix on resource name).
I have created policies to only allow serverless-user to create resources with specific prefix , but since this error shows error on resource arn:aws:apigateway:us-east-1::/restapis/1zhmt1r45r2/deployments/27gb11
where it is using ids ( 1zhmt1r45r2/deployments/27gb11
). I can't think of a way to effectively restrict what this user can delete.
Is there any work-around? I need to figure this out quite urgently.
I'm not sure what you really want to achieve whithout having more details, but the error you have is telling you need to grant apigateway:DELETE
permission to your lambda function using a policy that is restricted only to your lambda function. The easiest way to do this is specifying it in a SAM template. This way you can implement your IaC (Infrastructure as code) without manual process and allows you to automate the process for redeployments and adding the template to source control. The following example defines a lambda function which needs apigateway:DELETE
permission
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
role/AmazonAPIGatewayPushToCloudWatchLogs"
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
StageName: prod
CreateLedger:
Type: AWS::Serverless::Function
Properties:
FunctionName: CreateLedgerFunction
Handler: QLDB.API.Config.Lambda::QLDB.API.Config.Lambda.Functions.CreateLedger.CreateLedgerFunction::FunctionHandler
Runtime: dotnetcore3.1
Timeout: 30
CodeUri: .
Policies:
- Statement:
- Sid: QLDBCreateLedgerCommandPolicy
Effect: Allow
Action:
- apigateway:DELETE #<----- specify the permissions
Resource: '*'
Events:
CreateLedger:
Type: Api
Properties:
Path: /createLedger
Method: post
RestApiId:
Ref: ApiGatewayApi
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.