问题描述
通常,如果我想创建一个私有 AWS::ApiGateway::RestApi
,其策略只允许 VPC 流量调用 API 上的任何资源,我会这样做:
"ApiGatewayRestApi": {
"Type": "AWS::ApiGateway::RestApi","Properties": {
"Name": "api-foo-bar","EndpointConfiguration": {
"Types": [
"PRIVATE"
]
},"Policy": {
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": "*","Action": [
"execute-api:Invoke"
],"Resource": "execute-api:/*","Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-000000000000"
}
}
}
]
}
}
}
有人问我是否可以创建策略,然后将其重用于我们可能创建的不同 Api 网关?其中的一些内容:
"ApiGatewayRestApi": {
"Type": "AWS::ApiGateway::RestApi","Policy": "arn:aws:*whatever*"
}
},
我不知道!我也找不到任何文档或示例来说明这一点。有没有人做过这个?它完全可行吗?谢谢:)
解决方法
不,目前不可行。您附加到 Api 网关的策略是基于资源的策略。
来自 aws 文档,
使用基于资源的策略,您可以指定谁有权访问 资源以及他们可以对其执行哪些操作。
Aws 文档显示了 cloudformation 中每个属性可以采用的类型。以下是“AWS::ApiGateway::RestApi”中允许的属性和类型
{
"Type" : "AWS::ApiGateway::RestApi","Properties" : {
"ApiKeySourceType" : String,"BinaryMediaTypes" : [ String,... ],"Body" : Json,"BodyS3Location" : S3Location,"CloneFrom" : String,"Description" : String,"DisableExecuteApiEndpoint" : Boolean,"EndpointConfiguration" : EndpointConfiguration,"FailOnWarnings" : Boolean,"MinimumCompressionSize" : Integer,"Mode" : String,"Name" : String,"Parameters" : {Key : Value,...},"Policy" : Json,"Tags" : [ Tag,... ]
}
}
请注意,Policy 属性采用 JSON 类型。此外,文档为 Policy 属性编写了以下内容:
包含 RestApi 权限的策略文档 资源。
并提示我们 Policy 属性不采用以下形式:"Policy": "arn:aws:*whatever*"
并且只接受 JSON 形式的策略文档作为 Api Gateway 的基于资源的策略。
参考: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
,您可以找到文档 here。
Policy
A policy document that contains the permissions for the RestApi resource. To set the ARN for the policy,use the !Join intrinsic function with "" as delimiter and values of "execute-api:/" and "*".