By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Policy - Allow execute-api on resource with variable

0

I am trying to create an IAM policy that will only allow execute-api on a resource with variable, eg: /appointment/{appointment_id}. I want to allow /appointment/{appointment_id}, but don't want to allow the other appointment/* resources. Is there any better way to write this, such as using variables or something?

This is what i have currently: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "execute-api:", "Resource": [ "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev//appointment", "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment/", "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/patient" ] }, { "Effect": "Deny", "Action": "execute-api:", "Resource": [ "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment//", "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment/count", "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment/calendars", "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment/codes" ] } ] }

I tried the tutorial and used this for /pets/{pet_id} but "/a1b2" does not work for me.
"Resource": ["arn:aws:execute-api:us-east-1:account-id:api-id/*/GET/pets/a1b2"] https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

Appreciate any kind advice. Thank you!

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
rePost-User-7022159
asked a year ago1018 views
1 Answer
1
Accepted Answer

From the information you've provided, it seems that you're attempting to grant permissions to a resource with a path variable (appointment_id), while denying other resources under the same root path (appointment/*). The tricky part about this in IAM is that path variables aren't inherently supported.

In IAM policies, when specifying resources, wildcards (*) can be used to represent one or more characters. But there's no built-in method for excluding certain patterns using the wildcard syntax. AWS does not currently support variable substitution in IAM policies, and thus you can't use a placeholder for the appointment_id in your policy.

However, you might consider adjusting your API routes to help facilitate permissions. If all of the appointment/{appointment_id} routes are read operations (GET), and all other appointment/* routes are modification operations (POST, PUT, DELETE, etc.), you could differentiate between the two in your IAM policy by HTTP verb:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/GET/appointment/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/POST/appointment/*",
        "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/PUT/appointment/*",
        "arn:aws:execute-api:ap-southeast-1:551253161854:5i72ewjb4d/dev/DELETE/appointment/*"
      ]
    }
  ]
}

This policy allows GET requests to any resource under /appointment/, but denies POST, PUT, and DELETE requests to those same resources. This works if your API is structured to have all modifications under separate routes.

For a more granular access control to your APIs, you may want to consider using AWS API Gateway resource policies or Lambda authorizers, as IAM policies may not provide the granularity you're looking for. If you do this, you'd be able to write custom logic to allow or deny access to certain routes. For instance, with a Lambda authorizer, you could extract the appointment_id from the path parameters and determine if the current user should have access to it.

If the answer is helpful, please click "Accept Answer" and upvote it.

profile picture
EXPERT
Ivan Casco
answered a year ago
profile pictureAWS
EXPERT
AWS-User-Nitin
reviewed a year ago
  • rePost-User-7022159
    a year ago

    Hi Ivan, thanks alot for taking your time to answer my query. Definitely helped as it confirmed my findings that IAM will not be able to provide such granular access control to my API. Will spend time to explore on the other options. Thank you again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content