-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Gateway Resource Policy #514
Comments
What is the status of implementing this feature? We could really use this to start working with private API Gateway endpoints. |
Just stumbled on this problem as well. Had to use |
Anyone update on this one? Trying to grant access to a API Gateway using a IP whitelist is overly difficult right now. |
Can you share your SAM template with |
@createdon2003, it should be something like this: anAPI:
Type: AWS::Serverless::Api
Properties:
Name: an-api
StageName: api
EndpointConfiguration: PRIVATE
DefinitionBody:
swagger: 2.0
info:
title: !Ref AWS::StackName
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- "execute-api:Invoke"
Resource: !Sub "arn:aws:execute-api:eu-west-1:${AWS::AccountId}:vc9kk3ltoi/*"
Condition:
StringEquals:
aws:sourceVpce: !Ref VpcEndpoint
paths:
... |
Hi team, any update on this one? Is it still RFC? Keen on having resource policies as part of SAM templates. This would be especially useful for us because we want to have a custom WAF in front of our API GW, and would like to have our API GW only accept traffic from that WAF. |
As a first pass for this feature, we should just do the
|
Is there a workaround if this feature is not available? I want to use |
@markstos The current workaround is to hand-manage the swagger definition of the serverless API. |
Also want to reiterate @brettstack's #514 (comment) that a first-pass fix of this issue is actually a pretty simple targeted fix. If someone from the community wants to step up and take it, that would be terrific! |
@jlhood I'll take a look at this. At this point, I invested time in the |
@markstos Thank you! |
Getting setup just to contribute to this project is enough of a pain that I think I'll just give up on converting the server I had in mind to the serverless model. Here's a snapshot of what I experienced:
So I remove the directory and try again:
So: Catch-22! Whether I try to install Meanwhile, Ubuntu provides a package which installs a binary that sounds like it would the same, but isn't: I'm a deadline to update a Ubuntu 14.04 server to 18.04 before the April 17th, EOL date, so it's unlikely I'll come back to this. |
@markstos I'm sorry you had a bad experience trying to get setup to contribute to SAM. Did you follow the instructions in the Development Guide? That has detailed instructions on how to get setup. You shouldn't need to run |
I have been using SAM for a couple of months and it's been great. I think this feature will be very useful in the development process of serverless applications. |
@pablosjv By all means, we'd love for you to contribute! @brettstack summarized the 1st pass changes needed to support this feature in this comment: #514 (comment) Follow the development guide to get setup and we look forward to reviewing your PR! 😊 |
Thank you much for the excellent framework and tooling! My team has a project where we are implementing a private REST API. We recently considered the benefits and drawbacks available via swagger/openapi import definition model and the definition of our API directly using the AWS::Serverless::Function definition and having SAM render the API gateway via the implicit logic. We decided to go the AWS::Serverless::Function definition route. To workaround this issue, we added CI/CD logic to render a resource policy and using an API Gateway Since last week (I believe May 9th 2019), in us-west-1, when running new test environment deployments, I found that the workaround of applying a resource policy after deployment is not viable there, because CloudFormation enforces that a resource policy must have a resource policy configured to complete deployment. I don't see the same behavior in us-east-1 or us-east-2. As an example, if I use the SAM CLI and init a new SAM project, and add these 2 lines to the default template.yaml Globals section:
when I run a deployment of that default template (altered to configure a private API) to us-west-1 the create stack reaches a rollback complete with the initial error event being:
|
@BaconAndEggs Thank you for reporting this issue! I created a new issue out of your comment, please post in #925 if you see any additional errors. We will see if we can find out any more information about this issue. |
I got it to work like this: https://serverless.com/framework/docs/providers/aws/events/apigateway#resource-policy |
Closing this issue as v1.15.0 is released |
Resources:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy
Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:
users from a specified AWS account
specified source IP address ranges or CIDR blocks
specified virtual private clouds (VPCs) or VPC endpoints (in any account)
When
Auth.ResourcePolicy
is set on an APIEvent
, thePath
andMethod
of theEvent
will be used to construct theResource
. WhenAuth.ResourcePolicy
is set on an API resource, thePath
andMethod
parts ofResource
will be *; that is, the policy will apply to the entire API. For the Stage part ofResource
, we can inject theStageName
, however, we do need to consider how we will make it work when we implement multi-stage support.Note that
Event
ResourcePolicy
and API ResourceResourcePolicy
are combined to create the finalResourcePolicy
.The text was updated successfully, but these errors were encountered: