Control access to WebSocket APIs with IAM authorization

IAM authorization in WebSocket APIs is similar to that for REST APIs, with the following exceptions:

The execute-api action supports ManageConnections in addition to existing actions (Invoke, InvalidateCache). ManageConnections controls access to the @connections API.

WebSocket routes use a different ARN format:


arn:aws:execute-api:region:account-id:api-id/stage-name/route-key

The @connections API uses the same ARN format as REST APIs:
```
arn:aws:execute-api:region:account-id:api-id/stage-name/POST/@connections
```

Important

When you use IAM authorization, you must sign requests with Signature Version 4 (SigV4).

For example, you could set up the following policy to the client. This example allows everyone to send a message (Invoke) for all routes except for a secret route in the prod stage and prevents everyone from sending a message back to connected clients (ManageConnections) for all stages.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/prod/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "execute-api:Invoke"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/prod/secret"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/*"
      ]
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access control

Control access to WebSocket APIs with AWS Lambda REQUEST authorizers