API Gateway Resource Policy

[brettstack]

Resources:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy

Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:

• users from a specified AWS account

• specified source IP address ranges or CIDR blocks

• specified virtual private clouds (VPCs) or VPC endpoints (in any account)

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      ...
      Auth:
        ResourcePolicy:
          # IAM-based policies
          IAMAllowlist: [
          '123456789012:role/myRole',
          '${AWS::AccountId}:user/myUser',
          '123456789012:root',
          '123456789012:*'
          ],
          IAMDenylist: [],

          # IP-based policies
          IpAllowlist: ['12.123.234.213'],
          IpDenylist: [],

          # VPC-based policies
          SourceVpcAllowlist: ['vpc-ab1234cd'],
          SourceVpcDenylist: []

          # Custom statements. These must be actual Resource Policy Statements.
          CustomStatements: [{
            Action: 'execute-api:Invoke', # Optional; Default: execute-api:Invoke
            Resource: ['execute-api:/*/*/*'], # Optional; constructed based on Stagename, Path, and Method.
            ... # Additional properties get passed through to the resulting statement
          }]

  MyFn:
    Type: AWS::Serverless::Function
    Properties:
      Events:
        GetRoot:
          Type: Api
          Properties:
            Auth:
              ResourcePolicy:
                ... # Same as above; the Statement Resource will be created differently when defined here (i.e. it will use the Method and Path)

When Auth.ResourcePolicy is set on an API Event, the Path and Method of the Event will be used to construct the Resource. When Auth.ResourcePolicy is set on an API resource, the Path and Method parts of Resource will be *; that is, the policy will apply to the entire API. For the Stage part of Resource, we can inject the StageName, however, we do need to consider how we will make it work when we implement multi-stage support.

Note that Event ResourcePolicy and API Resource ResourcePolicy are combined to create the final ResourcePolicy.

[SanderKnape]

What is the status of implementing this feature? We could really use this to start working with private API Gateway endpoints.

[bigunyak]

Just stumbled on this problem as well. Had to use x-amazon-apigateway-policy extension to get my API Gateway resource policies work.

[tkeeber]

Anyone update on this one? Trying to grant access to a API Gateway using a IP whitelist is overly difficult right now.

[createdon2003]

Just stumbled on this problem as well. Had to use x-amazon-apigateway-policy extension to get my API Gateway resource policies work.

Can you share your SAM template with x-amazon-apigateway-policy in it. I am facing difficulty in getting it to work. For some reason final cloud formation does not have any resource policy attached.

[spezam]

@createdon2003, it should be something like this:

  anAPI:
    Type: AWS::Serverless::Api
    Properties:
      Name: an-api
      StageName: api
      EndpointConfiguration: PRIVATE
      DefinitionBody:
        swagger: 2.0
        info:
          title: !Ref AWS::StackName
        x-amazon-apigateway-policy:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
              Action:
                - "execute-api:Invoke"
              Resource: !Sub "arn:aws:execute-api:eu-west-1:${AWS::AccountId}:vc9kk3ltoi/*"
              Condition:
                StringEquals:
                  aws:sourceVpce: !Ref VpcEndpoint
        paths:
...

[verzac]

Hi team, any update on this one? Is it still RFC? Keen on having resource policies as part of SAM templates.

This would be especially useful for us because we want to have a custom WAF in front of our API GW, and would like to have our API GW only accept traffic from that WAF.

[brettstack]

As a first pass for this feature, we should just do the Auth.ResourcePolicy.CustomStatements implementation. The [IAM|Ip|SourceVpc][Allow|Deny]List features are syntactic sugar. This would be a good first issue.

1. Check if ResourcePolicy property exists on Authlike we do here for checking Authorizers https://github.com/awslabs/serverless-application-model/blob/cbd4d9ad40a71b838f1e72b3b960689f30890bf9/samtranslator/model/api/api_generator.py#L242. If it exists, call swagger_editor.add_resource_policy(resource_policy)
2. Add add_resource_policy method here https://github.com/awslabs/serverless-application-model/blob/cbd4d9ad40a71b838f1e72b3b960689f30890bf9/samtranslator/swagger/swagger.py#L289. This should check if CustomStatements exists on resource_policy and that it is an Array (bonus points for allowing both an Array of Dict or a single Dict (use case where you just want to define a single Statement)). After that validation, add the statements to self._doc["x-amazon-apigateway-policy"].Statement and set Version: "2012-10-17"

[markstos]

Is there a workaround if this feature is not available? I want to use serverless to publish a Lambda/API-Gateway pair that can only be called some specific security groups in my VPC.