In order to access the RestApi the request has to be signed by AWS IAM Credentials that have permissions to invoke (execute-api:Invoke) the API.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-repo"
},
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-repo-1",
"arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-repo-2",
"arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-repo-3"
]
},
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-*"
}
]
}Given the following attributes:
- TokenProviderEndpointType is
DEFAULT - RestApi deployed in the
eu-west-1AWS Region - AWS Account Id is
111111111111 - RestApi Id
abcd1234 - RestApi Stage Name
dev - Token Provider name
example-provider - Path Parameter
{owner} - Path Parameter
{repo}
Access should be granted for the action execute-api:Invoke to the ARN: arn:aws:execute-api:<region>:<account>:<apiId>/<stageName>/GET/x/<providerName>/<owner>/<repo>, for example arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET/x/example-provider/catnekaise/example-repo.
Base ARN: arn:aws:execute-api:eu-west-1:111111111111:abcd1234/dev/GET
| Resource appended to Base ARN | Allows Org | Allows Repo |
|---|---|---|
| /x/example-provider/catnekaise/example-repo | catnekaise | example-repo |
| /x/example-provider/catnekaise/* | catnekaise | Any repo |
| /x/example-provider/catnekaise/example-* | catnekaise | Repos starting with name example- |
| /x/example-provider/* | Any Org | Any Repo |
| Resource appended to Base ARN | Allows Org | Comment |
|---|---|---|
| /x/example-provider/catnekaise | catnekaise | |
| /x/example-provider/* | Any Org | |
| /x/example-provider/catnekaise/* | No Access | 404 Not Found |
| /x/example-provider// | No Access | 404 Not Found |
When not providing a value for owner or repo, then * is used as the default value for both. A warning will be annotated when the TokenProviderEndpointType is DEFAULT and neither owner or repo has been defined.
import { ITokenProvider } from '@catnekaise/ghrawel';
declare const provider: ITokenProvider;
declare const role: iam.Role;
// A warning is annotated
provider.grantExecute(role);
// No warning is annotated
provider.grantExecute(role, '*');
provider.grantExecute(role, 'catnekaise');
// creates 3 ARNs
provider.grantExecute(role, 'catnekaise', 'example-repo-1', 'example-repo-2', 'example-repo-3');
provider.grantExecute(role, 'catnekaise', 'example-*');When not providing a value for owner, then * is used as the default value. No warning is annotated.
import { ITokenProvider } from '@catnekaise/ghrawel';
declare const provider: ITokenProvider;
declare const role: iam.Role;
provider.grantExecute(role);
provider.grantExecute(role, 'catnekaise');
// Throws error as there's no `{repo}` path parameter
provider.grantExecute(role, 'catnekaise', 'example-repo');Owner endpoints allow specifying one or more repositories via the query string parameter repo. It's not possible to use AWS IAM to specify which repositories are allowed in the query parameter.