Recently AWS announced that Amazon API Gateway Supports Resource Policies for APIs
Is it possible to attach a resource policy to a AWS::Serverless::Api created via Cloudformation with SAM?
1 Answers
2
votes
I haven't had the chance to try this yet but I assume you can use it like you would use an S3 Bucket Policy. The trickiest part for you would be to grab the api-id to be able to use in the Resource ARN(s).
So, in your template you would have a piece that contains similar YAML (or JSON).
This would allow <some user> to use the API
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::<account-id>:user/<some user>
- account-id
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Note that the execute-api:/*/*/* gets converted automatically during deployment to something that looks like arn:aws:execute-api:<region>:<account-id>:<api-id>/*/*/*
This approach should work just like bucket policies and this is how you apply a policy to a Bucket.
Good luck!
