IAM user access to manage API

1

I have been battling this for a while. The user must be able to view, edit and create API's. I have tried using the AWS Policy Generator to create the following:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxxxxxxxx",
      "Action": "apigateway:*",
      "Effect": "Allow",
      "Resource": "arn:aws:apigateway:us-east/*"
    }
  ]
}

Then when testing the policy, I get that my username does not have apigateway: GET rights. What gives?

2 Answers
1
Accepted Answer

It looks like your resource is not formatted properly -- for instance you don't have a valid region specified in your policy document. us-east is not a valid region. It's also unclear what resource you are trying to declare. To see what the resource specification format should be check out Actions, resources, and condition keys for Amazon API Gateway Management -- particularly the section on the resource specification for RestApis.

It looks like you might need something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ApiCreateAndEditAccess",
      "Effect": "Allow",
      "Action": [
        "apigateway:*"
      ],
      "Resource": [
        "arn:aws:apigateway:us-east-2::/restapis",
        "arn:aws:apigateway:us-east-2::/restapis/*"
      ],
    }
  ]
}
profile pictureAWS
answered a year ago
  • Thanks for the reply, I have tried that also before: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxxxxxxxxx", "Action": "apigateway:*", "Effect": "Allow", "Resource": "arn:aws:apigateway:us-east-2::/**************" } ] }

    I still get the same errors

    1. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/account because no identity-based policy allows the apigateway:GET action
    2. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/restapis because no identity-based policy allows the apigateway:GET action
    3. not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-2::/apis I have tried lots of different resource combinations but to no avail
  • There are some example policies here: https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies. I'm not sure if that's an exact copy-paste there but you should never need to use more than one wildcard in a row.

0

Please take a look at this document https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html The section "API Gateway permissions model for creating and managing an API" talks about IAM permissions required to create and manage APIs

profile pictureAWS
EXPERT
answered a year ago
  • The problem is how I represent the resource. If I use"*" as the resource, then it works.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions