Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

IAM user access to manage API

1

I have been battling this for a while. The user must be able to view, edit and create API's. I have tried using the AWS Policy Generator to create the following:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxxxxxxxx",
      "Action": "apigateway:*",
      "Effect": "Allow",
      "Resource": "arn:aws:apigateway:us-east/*"
    }
  ]
}

Then when testing the policy, I get that my username does not have apigateway: GET rights. What gives?

Argomenti
Sicurezza, identità e conformitàServerlessFront-end web e dispositivi mobiliNetworking e distribuzione di contenuti
Tag
Gestione identità e accesso AWSGateway API di AmazonPolitiche IAM
Lingua
English
rePost-User-5483003
posta 2 anni fa266 visualizzazioni
2 Risposte
1
Risposta accettata

It looks like your resource is not formatted properly -- for instance you don't have a valid region specified in your policy document. us-east is not a valid region. It's also unclear what resource you are trying to declare. To see what the resource specification format should be check out Actions, resources, and condition keys for Amazon API Gateway Management -- particularly the section on the resource specification for RestApis.

It looks like you might need something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ApiCreateAndEditAccess",
      "Effect": "Allow",
      "Action": [
        "apigateway:*"
      ],
      "Resource": [
        "arn:aws:apigateway:us-east-2::/restapis",
        "arn:aws:apigateway:us-east-2::/restapis/*"
      ],
    }
  ]
}
profile pictureAWS
MiguelUT
con risposta 2 anni fa
  • rePost-User-5483003
    2 anni fa

    Thanks for the reply, I have tried that also before: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxxxxxxxxx", "Action": "apigateway:*", "Effect": "Allow", "Resource": "arn:aws:apigateway:us-east-2::/**************" } ] }

    I still get the same errors

    1. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/account because no identity-based policy allows the apigateway:GET action
    2. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/restapis because no identity-based policy allows the apigateway:GET action
    3. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/apis I have tried lots of different resource combinations but to no avail
  • MiguelUT
    2 anni fa

    There are some example policies here: https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies. I'm not sure if that's an exact copy-paste there but you should never need to use more than one wildcard in a row.

0

Please take a look at this document https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html The section "API Gateway permissions model for creating and managing an API" talks about IAM permissions required to create and manage APIs

profile pictureAWS
ESPERTO
Indranil Banerjee AWS
con risposta 2 anni fa
  • rePost-User-5483003
    2 anni fa

    The problem is how I represent the resource. If I use"*" as the resource, then it works.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente