Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM user access to manage API

1

I have been battling this for a while. The user must be able to view, edit and create API's. I have tried using the AWS Policy Generator to create the following:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxxxxxxxx",
      "Action": "apigateway:*",
      "Effect": "Allow",
      "Resource": "arn:aws:apigateway:us-east/*"
    }
  ]
}

Then when testing the policy, I get that my username does not have apigateway: GET rights. What gives?

Themen
Sicherheit, Identität & KonformitätServerlosFrontend-Web & MobileVernetzung & Bereitstellung von Inhalten
Tags
AWS Identity and Access ManagementAmazon API-GatewayIAM-Richtlinien
Sprache
English
rePost-User-5483003
gefragt vor 2 Jahren266 Aufrufe
2 Antworten
1
Akzeptierte Antwort

It looks like your resource is not formatted properly -- for instance you don't have a valid region specified in your policy document. us-east is not a valid region. It's also unclear what resource you are trying to declare. To see what the resource specification format should be check out Actions, resources, and condition keys for Amazon API Gateway Management -- particularly the section on the resource specification for RestApis.

It looks like you might need something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ApiCreateAndEditAccess",
      "Effect": "Allow",
      "Action": [
        "apigateway:*"
      ],
      "Resource": [
        "arn:aws:apigateway:us-east-2::/restapis",
        "arn:aws:apigateway:us-east-2::/restapis/*"
      ],
    }
  ]
}
profile pictureAWS
MiguelUT
beantwortet vor 2 Jahren
  • rePost-User-5483003
    vor 2 Jahren

    Thanks for the reply, I have tried that also before: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxxxxxxxxx", "Action": "apigateway:*", "Effect": "Allow", "Resource": "arn:aws:apigateway:us-east-2::/**************" } ] }

    I still get the same errors

    1. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/account because no identity-based policy allows the apigateway:GET action
    2. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/restapis because no identity-based policy allows the apigateway:GET action
    3. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/apis I have tried lots of different resource combinations but to no avail
  • MiguelUT
    vor 2 Jahren

    There are some example policies here: https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies. I'm not sure if that's an exact copy-paste there but you should never need to use more than one wildcard in a row.

0

Please take a look at this document https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html The section "API Gateway permissions model for creating and managing an API" talks about IAM permissions required to create and manage APIs

profile pictureAWS
EXPERTE
Indranil Banerjee AWS
beantwortet vor 2 Jahren
  • rePost-User-5483003
    vor 2 Jahren

    The problem is how I represent the resource. If I use"*" as the resource, then it works.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt