Create and attach a policy to a user - Amazon API Gateway

Create and attach a policy to a user

To enable a user to call the API managing service or the API execution service, you must create an IAM policy which controls access to the API Gateway entities.

To use the JSON policy editor to create a policy
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. In the Policy editor section, choose the JSON option.

  5. Enter the following JSON policy document:

    { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] }, { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] } ] }
  6. Choose Next.

    Note

    You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.

  8. Choose Create policy to save your new policy.

In this statement, substitute action-statement and resource-statement as needed, and add other statements to specify the API Gateway entities you want to allow the user to manage, the API methods the user can call, or both. By default, the user does not have permissions unless there is an explicit corresponding Allow statement.

You have just created an IAM policy. It won't have any effect until you attach it.

To provide access, add permissions to your users, groups, or roles:

To attach an IAM policy document to an IAM group
  1. Choose Groups from the main navigation pane.

  2. Choose the Permissions tab under the chosen group.

  3. Choose Attach policy.

  4. Choose the policy document that you previously created, and then choose Attach policy.

For API Gateway to call other AWS services on your behalf, create an IAM role of the Amazon API Gateway type.

To create an Amazon API Gateway type of role
  1. Choose Roles from the main navigation pane.

  2. Choose Create New Role.

  3. Type a name for Role name and then choose Next Step.

  4. Under Select Role Type, in AWS Service Roles, choose Select next to Amazon API Gateway.

  5. Choose an available managed IAM permissions policy, for example, AmazonAPIGatewayPushToCloudWatchLog if you want API Gateway to log metrics in CloudWatch, under Attach Policy and then choose Next Step.

  6. Under Trusted Entities, verify that apigateway.amazonaws.com is listed as an entry, and then choose Create Role.

  7. In the newly created role, choose the Permissions tab and then choose Attach Policy.

  8. Choose the previously created custom IAM policy document and then choose Attach Policy.