Create and attach an API Gateway resource policy to an API - Amazon API Gateway

Create and attach an API Gateway resource policy to an API

To allow a user to access your API by calling the API execution service, you must create an API Gateway resource policy, which controls access to the API Gateway resources, and attach the policy to the API.

Important

To update an API Gateway resource policy, you'll need to have apigateway:UpdateRestApiPolicy permission in addition to apigateway:PATCH permission.

The resource policy can be attached to the API when the API is being created, or it can be attached afterwards. For private APIs, note that until you attach the resource policy to the private API, all calls to the API will fail.

Important

If you update the resource policy after the API is created, you'll need to deploy the API to propagate the changes after you've attached the updated policy. Updating or saving the policy alone won't change the runtime behavior of the API. For more information about deploying your API, see Deploying a REST API in Amazon API Gateway.

You can control access by IAM condition elements, including conditions on AWS accounts, source VPCs, source VPC endpoints, or IP ranges. If you set the Principal in the policy to "*", you can use other authorization types alongside the resource policy.

However, if you set the Principal to an AWS principal, such as the following: "Principal": { "AWS": "arn:aws:iam..." } Authorization fails for all resources not secured with AWS_IAM authorization, including unsecured resources.

The following sections describe how to create your own API Gateway resource policy and attach it to your API. Attaching a policy applies the permissions in the policy to the methods in the API.

Important

If you use the API Gateway console to attach a resource policy to a deployed API, or if you update an existing resource policy, you'll need to redeploy the API in the console for the changes to take effect.

Attaching API Gateway resource policies (console)

You can use the AWS Management console to attach a resource policy to an API Gateway API.

To attach a resource policy to an API Gateway API
  1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.

  2. Choose a REST API.

  3. In the main navigation pane, choose Resource policy.

  4. Choose Create policy.

  5. (Optional) Choose Select a template to generate an example policy.

    In the example policies, placeholders are enclosed in double curly braces ("{{placeholder}}"). Replace each of the placeholders, including the curly braces, with the necessary information.

  6. If you don't use one of the template examples, enter your resource policy.

  7. Choose Save changes.

If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the resource policy to take effect.

Attaching API Gateway resource policies (AWS CLI)

To use the AWS CLI to create a new API and attach a resource policy to it, call the create-rest-api command as follows:

aws apigateway create-rest-api \ --name "api-name" \ --policy "{\"jsonEscapedPolicyDocument\"}"

To use the AWS CLI to attach a resource policy to an existing API, call the update-rest-api command as follows:

aws apigateway update-rest-api \ --rest-api-id api-id \ --patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"'

Attaching API Gateway resource policies (AWS CloudFormation)

You can use AWS CloudFormation to create an API with a resource policy. The following example creates a REST API with the example resource policy, Example: Deny API traffic based on source IP address or range.

AWSTemplateFormatVersion: 2010-09-09 Resources: Api: Type: 'AWS::ApiGateway::RestApi' Properties: Name: testapi Policy: Statement: - Action: 'execute-api:Invoke' Effect: Allow Principal: '*' Resource: 'execute-api/*' - Action: 'execute-api:Invoke' Effect: Deny Principal: '*' Resource: 'execute-api/*' Condition: IpAddress: 'aws:SourceIp': ["192.0.2.0/24", "198.51.100.0/24" ] Version: 2012-10-17 Resource: Type: 'AWS::ApiGateway::Resource' Properties: RestApiId: !Ref Api ParentId: !GetAtt Api.RootResourceId PathPart: 'helloworld' MethodGet: Type: 'AWS::ApiGateway::Method' Properties: RestApiId: !Ref Api ResourceId: !Ref Resource HttpMethod: GET ApiKeyRequired: false AuthorizationType: NONE Integration: Type: MOCK ApiDeployment: Type: 'AWS::ApiGateway::Deployment' DependsOn: - MethodGet Properties: RestApiId: !Ref Api StageName: test