AWS API Gateway ARN

12
votes

One of the things that drives me nuts is that AWS has loads of docs about the format of an ARN, but doesn't have any kind of generator to make you confident that the ARN is correct.

In IAM, I'm trying to set up a policy to allow access to an API Gateway and I've read the following docs about it:

But I can't get any ARN to validate, even just a wide open API Gateway ARN. See screenshot:

open arn called invalid

What am I doing wrong here?

1
amazon-web-servicesamazon-iamaws-api-gateway
If you want to give full access you have to keep the ARN "*" And for all other you have to mention region or it will not work. And that ":::" will definitely not workerror2007s
So you're saying arn:aws:apigateway:us-west-2::* ? Tried it, doesn't work.Miles
I just realized you are using "AMAzon API Gateway" in service so you cannot use "apigateway" you have to use "execute-api". "apigateway" is for "Manage API Gateway"error2007s

1 Answers

15
votes

From the documentation: To create an IAM policy using the Policy Generator in the IAM console, select Manage Amazon API Gateway as AWS Service to set permissions statements for apigateway and select Amazon API Gateway as AWS Service to set permission statements for execute-api.

If you are creating a policy to manage creating/editing your API, then you will need to select Manage - Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is apigateway)

arn:aws:apigateway:region::resource-path-specifier.

If you are creating a policy to manage invoking your API, then you will need to select Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is execute-api)

arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier.