Create and attach a policy to a user
To enable a user to call the API managing service or the API execution service, you must create an IAM policy which controls access to the API Gateway entities.
To use the JSON policy editor to create a policy
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the JSON option.
-
Enter the following JSON policy document:
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] }, { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] } ] }
-
Choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.
-
On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
In this statement, substitute action-statement
and
resource-statement
as needed, and add other
statements to specify the API Gateway entities you want to allow the user to
manage, the API methods the user can call, or both. By default, the
user does not have permissions unless there is an explicit corresponding Allow
statement.
You have just created an IAM policy. It won't have any effect until you attach it.
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
To attach an IAM policy document to an IAM group
-
Choose Groups from the main navigation pane.
-
Choose the Permissions tab under the chosen group.
-
Choose Attach policy.
-
Choose the policy document that you previously created, and then choose Attach policy.
For API Gateway to call other AWS services on your behalf, create an IAM role of the Amazon API Gateway type.
To create an Amazon API Gateway type of role
-
Choose Roles from the main navigation pane.
-
Choose Create New Role.
-
Type a name for Role name and then choose Next Step.
-
Under Select Role Type, in AWS Service Roles, choose Select next to Amazon API Gateway.
-
Choose an available managed IAM permissions policy, for example, AmazonAPIGatewayPushToCloudWatchLog if you want API Gateway to log metrics in CloudWatch, under Attach Policy and then choose Next Step.
-
Under Trusted Entities, verify that apigateway.amazonaws.com is listed as an entry, and then choose Create Role.
-
In the newly created role, choose the Permissions tab and then choose Attach Policy.
-
Choose the previously created custom IAM policy document and then choose Attach Policy.