I have automation around an API Gateway deployment: aws apigateway create-deployment ... I am attempting to wrap my features in continuous deployment and I cannot seem to understand the IAM permissions which seem to deviate from all other IAM permissions across other services: apigateway:GET apigateway:PUT apigateway:POST apigateway:DELETE apigateway:PATCH apigateway:OPTIONS ( Cloudonaut Documentation ; "Control Access for Managing an API" ) Permissions only seem to cover stages: arn:aws:apigateway:region::/restapis/* for all resources, methods, models, and stages in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/* for all resources, methods, models, and stages in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/* for all resources and methods in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/methods/* for all of the methods in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/methods/GET for just the GET method in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/models/* for all of the models in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/models/model-name for the model with the name of model-name, which is in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/stages/* for all of the stages in the API with the identifier of api-id in the AWS region of region. arn:aws:apigateway:region::/restapis/api-id/stages/stage-name for just the stage with the name of stage-name in the API with the identifier of api-id in the AWS region of region. How do I grant the ability to create a deployment for a given stage? apigateway:PUT ? apigateway:POST ?

Reputation: 91820

Create Deployment Permission for API Gateway

I have automation around an API Gateway deployment:

aws apigateway create-deployment ...

I am attempting to wrap my features in continuous deployment and I cannot seem to understand the IAM permissions which seem to deviate from all other IAM permissions across other services:

apigateway:GET
apigateway:PUT
apigateway:POST
apigateway:DELETE
apigateway:PATCH
apigateway:OPTIONS

(Cloudonaut Documentation; "Control Access for Managing an API")

Permissions only seem to cover stages:

arn:aws:apigateway:region::/restapis/*
for all resources, methods, models, and stages in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/*
for all resources, methods, models, and stages in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/*
for all resources and methods in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/methods/*
for all of the methods in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/resources/resource-id/methods/GET
for just the GET method in the resource with the identifier resource-id, which is in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/models/*
for all of the models in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/models/model-name
for the model with the name of model-name, which is in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/stages/*
for all of the stages in the API with the identifier of api-id in the AWS region of region.
arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
for just the stage with the name of stage-name in the API with the identifier of api-id in the AWS region of region.

How do I grant the ability to create a deployment for a given stage? apigateway:PUT? apigateway:POST?

Upvotes: 2

Answers (2)

netliner

Reputation: 159

Try this:

{ "Action": "apigateway:POST", "Resource": "arn:aws:apigateway:*::/restapis/*/stages/${stage_name}", "Effect": "Allow", "Sid": "VisualEditor" }

Upvotes: 2

Naftuli Kay

Reputation: 91820

By testing, I have elucidated the policy required:

{
    "Action": "apigateway:POST",
    "Resource": "arn:aws:apigateway:us-east-1::/restapis/${rest_api_id}/deployments",
    "Effect": "Allow",
    "Sid": "AllowApiGatewayDeployments"
}

It may not be possible to limit the deployment to a given stage, but I don't know because I haven't tested this.

Upvotes: 2

Create Deployment Permission for API Gateway

Answers (2)

Related Questions