Viji
Reputation: 582
What is difference between the below mentioned IAM policies?
These are the policies attached to Lambda function calling a REST API in API Gateway. I am trying to understand why we need to have two policies like this, e.g. can somebody explain in simple words what does the first policy do? Why we cannot limit everything with the second policy only? If we only need to allow POST to every path under a particular API what else is required? What is difference between "execute-api" resource and "apigateway"?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:account-id:api-id/*/GET/pets"
]
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:us-east-1:account-id:api-id/*"
]
}
}
Upvotes: 3
Views: 629
Answers (1)
Marcin
Reputation: 238219
There are two types of permissions for API gateway:
- For invoking an API. Your first statement allows invoking the API.
- For creating and managing an API. Your second statement allows for creating child resources in the API.
You have two policies, because your resources are different for each statement. So your function can both manage the API and invoke it as well.
Upvotes: 2
Related Questions
- AWS IAM user-based policy vs resource-based policy vs both
- Two contardicting aws policies?
- Understanding aws policy
- Difference between IAM Managed Policy and Managed Policy for Job Functions?
- Difference between IAM authorizer and API key in AWS API Gateway in terms of security
- Resource Policy Gateway - IAM
- IAM policy variables
- AWS Resource policy on API Gateway
- Understanding IAM policies
- ASW IAM Policy and Amazon API Gateway says two different thing