Amazon web services 如何使用cloudformation创建专用AWS Api网关?
我正在尝试创建专用类型的AWS API网关,Amazon web services 如何使用cloudformation创建专用AWS Api网关?,amazon-web-services,amazon-cloudformation,aws-api-gateway,Amazon Web Services,Amazon Cloudformation,Aws Api Gateway,我正在尝试创建专用类型的AWS API网关, 这需要一个资源策略,因为我可以从AWS控制台创建网关, 我想知道如何通过CF模板添加资源策略- 以下是资源策略的夸张定义- x-amazon-apigateway-policy: Version: "2012-10-17" Statement: - Effect: "Deny" Principal: "*" Action: "execute-api:Invoke" Resource: "arn:aws:execut
这需要一个资源策略,因为我可以从AWS控制台创建网关,
我想知道如何通过CF模板添加资源策略- 以下是资源策略的夸张定义-
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
Condition:
StringNotEquals:
aws:sourceVpc: "vpc-xxxxx"
- Effect: "Allow"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
如何在CF模板中配置它-
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
Condition:
StringNotEquals:
aws:sourceVpc: "vpc-xxxxx"
- Effect: "Allow"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
参考-您需要在与
名称
相同级别的键下提供策略(称为策略
)
这需要以JSON格式提供
类似于
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
Policy: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-xxxxx"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"
}
]
}
如何在策略JSON中引用AWS AccountId和APIGateway?是否有方法使用Sub!来获取AWSAccountId,以及如何在JSON中引用同一网关的Id?是的,您可以使用!Sub。我已经更新了示例以使其正常工作。这里的一个小问题是,在策略中,
资源
属性需要APIDxxxx
part是API ID,因此在这个场景中,我需要首先创建网关,然后使用您共享的策略示例修改相同的资源吗?您可以使用通配符“*”例如Arn:aws:execute API:us-east-1:${aws::AccountId},而不是在Arn中支持APID:*/*/*/*
这将是安全的,因为该策略与此API网关明确关联。不用担心。是的,我已经在CloudFormation和API网关方面做了一段时间了。它大部分都很好,但有时相当令人沮丧!