Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[apigateway] Unable to add accurate resource policy

See original GitHub issue

The resource policy is readonly in the RestApi. It’s only injectable at the constructor. This is a problem because I can’t get the ARN into the policy to control method level invocations. It seems like there’s a chicken/egg situation.

Also - changing the policy doesn’t seem to kick off a deployment of the API, meaning the changes have no effect. Adding the policy contents to the hash of the deployment logical id seems logical. (This might belong in it’s own issue).

What I’m really trying to accomplish is a customization of the RestApi (like LambdaRestApi did) but for a ‘flavoured’ . regional apigateway with some security features that I can share amongst the team.

Is making this mutable going to interfere with the template prepare() activities?

Opening this up will also let us apply policy statements after resources / methods have been added to the api.

      new apigateway.RestApi(this, 'testApi', {
        policy: new iam.PolicyDocument()
                .addStatement(new iam.PolicyStatement(iam.PolicyStatementEffect.Deny)
                    .addAction("execute-api:Invoke")
                    .addAnyPrincipal()
                    .addResource(`arn:aws:execute-api:${cdk.Aws.region}:*:<how-to-get-id>/prod/`)
                )
      })

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:10 (5 by maintainers)

Top GitHub Comments

5reactions

chillitomcommented, Nov 20, 2019

        const api = new apigateway.RestApi(this, 'api', {
            restApiName: 'API',
            policy: new iam.PolicyDocument({
                statements: [
                    new iam.PolicyStatement({ actions: ['execute-api:*'], resources: ['execute-api:/*'], effect: iam.Effect.DENY }),
                    new iam.PolicyStatement({
                        actions: ['execute-api:*'],
                        resources: ['execute-api:/*'],
                        effect: iam.Effect.ALLOW,
                        principals: [
                            authenticatedRole
                        ],
                    }),
                ]
            })
        })

Adding the above policy causes the deployment to hang on deploying the API and it has to be cancelled in the cloudformation console. Any ideas what’s up with this declaration?

Looking at the generated YAML, I don’t see the region, account or api name getting added to the arns.

3reactions

hoegertncommented, Aug 7, 2019

@eladb anything on this topic? The not-refreshed deployment is not a gap. Instead, it should qualify as a bug.

Top Results From Across the Web

Create and attach an API Gateway resource policy to an API

To update an API Gateway resource policy, you'll need to have apigateway:UpdateRestApiPolicy permission in addition to apigateway:PATCH permission. The resource ...

Understanding allow policies | IAM Documentation

An allow policy is a collection of role bindings and metadata. A role binding specifies what access should be granted to a resource....

Controlling Access to an API in AWS API Gateway using ...

I am trying to control an access to the API gateway using resource access policy through IP addresses. I wanted only the two...

How do I resolve a CORS error for my API Gateway REST API?

We appreciate your feedback: https://amazonintna.qualtrics.com/jfe/form/SV_a5xC6bFzTcMv35sSkip directly to the demo: 0:40For more details ...

The Missing Guide to AWS API Gateway Access Logs

Deploy a separate, standalone service that configures the IAM role and API Gateway Account resource in each region you use; or. Add ......