AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IAM user access to manage API

1

I have been battling this for a while. The user must be able to view, edit and create API's. I have tried using the AWS Policy Generator to create the following:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxxxxxxxx",
      "Action": "apigateway:*",
      "Effect": "Allow",
      "Resource": "arn:aws:apigateway:us-east/*"
    }
  ]
}

Then when testing the policy, I get that my username does not have apigateway: GET rights. What gives?

주제
보안, 신원 및 규정 준수서버리스프론트엔드 웹 및 모바일네트워킹 및 콘텐츠 전송
태그
AWS 자격 증명 및 액세스 관리아마존 API 게이트웨이IAM 정책
언어
English
rePost-User-5483003
질문됨 2년 전266회 조회
2개 답변
1
수락된 답변

It looks like your resource is not formatted properly -- for instance you don't have a valid region specified in your policy document. us-east is not a valid region. It's also unclear what resource you are trying to declare. To see what the resource specification format should be check out Actions, resources, and condition keys for Amazon API Gateway Management -- particularly the section on the resource specification for RestApis.

It looks like you might need something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ApiCreateAndEditAccess",
      "Effect": "Allow",
      "Action": [
        "apigateway:*"
      ],
      "Resource": [
        "arn:aws:apigateway:us-east-2::/restapis",
        "arn:aws:apigateway:us-east-2::/restapis/*"
      ],
    }
  ]
}
profile pictureAWS
MiguelUT
답변함 2년 전
  • rePost-User-5483003
    2년 전

    Thanks for the reply, I have tried that also before: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxxxxxxxxx", "Action": "apigateway:*", "Effect": "Allow", "Resource": "arn:aws:apigateway:us-east-2::/**************" } ] }

    I still get the same errors

    1. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/account because no identity-based policy allows the apigateway:GET action
    2. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/restapis because no identity-based policy allows the apigateway:GET action
    3. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/apis I have tried lots of different resource combinations but to no avail
  • MiguelUT
    2년 전

    There are some example policies here: https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies. I'm not sure if that's an exact copy-paste there but you should never need to use more than one wildcard in a row.

0

Please take a look at this document https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html The section "API Gateway permissions model for creating and managing an API" talks about IAM permissions required to create and manage APIs

profile pictureAWS
전문가
Indranil Banerjee AWS
답변함 2년 전
  • rePost-User-5483003
    2년 전

    The problem is how I represent the resource. If I use"*" as the resource, then it works.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠