AWS API Gateway ARN
From the documentation: To create an IAM policy using the Policy Generator in the IAM console, select Manage Amazon API Gateway as AWS Service to set permissions statements for apigateway and select Amazon API Gateway as AWS Service to set permission statements for execute-api.
If you are creating a policy to manage creating/editing your API, then you will need to select Manage - Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is apigateway)
arn:aws:apigateway:region::resource-path-specifier
.
If you are creating a policy to manage invoking your API, then you will need to select Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is execute-api)
arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier
.
Miles
I'm the VP of Engineering at EquityEats. We're changing how new restaurants are funded and operated.
Updated on June 07, 2022Comments
-
Miles almost 2 years
One of the things that drives me nuts is that AWS has loads of docs about the format of an ARN, but doesn't have any kind of generator to make you confident that the ARN is correct.
In IAM, I'm trying to set up a policy to allow access to an API Gateway and I've read the following docs about it:
- http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-using-iam-policies
- http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-apigateway
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
But I can't get any ARN to validate, even just a wide open API Gateway ARN. See screenshot:
What am I doing wrong here?
-
Miles over 7 yearsThanks, that worked! I really wish AWS just has a tool to see the resources you have in AWS and generate an ARN. It's always one of the most annoying things about setting up AWS resources.
-
Brian T. Grant about 5 years@Miles: Building on this answer and to hopefully addressing your "wish" : it looks to me like navigating to a specific resource and HTTP verb on a gateway will allow you to see that full ARN within the "Method Request" box. I have a very resource defined at
GET /v1/greetings
and the tail end of the URN, isGET/v1/greetings
-
Vankuisher over 3 yearsBtw- what if you need to manage the api keys although you would like the access to only allow for retrieval of a single api key (arn:aws:apigateway:region::/apikeys/*) as opposed to many (arn:aws:apigateway:region::/apikeys)... I have noticed that this does not work... how can this be achieved ?