Amazon web services 如何使用cloudformation创建专用AWS Api网关？_Amazon Web Services_Amazon Cloudformation_Aws Api Gateway

Amazon web services 如何使用cloudformation创建专用AWS Api网关？

amazon-web-services amazon-cloudformation

Amazon web services 如何使用cloudformation创建专用AWS Api网关？,amazon-web-services,amazon-cloudformation,aws-api-gateway,Amazon Web Services,Amazon Cloudformation,Aws Api Gateway,我正在尝试创建专用类型的AWS API网关，这需要一个资源策略，因为我可以从AWS控制台创建网关，我想知道如何通过CF模板添加资源策略- 以下是资源策略的夸张定义- x-amazon-apigateway-policy: Version: "2012-10-17" Statement: - Effect: "Deny" Principal: "*" Action: "execute-api:Invoke" Resource: "arn:aws:execut

我正在尝试创建专用类型的AWS API网关，
这需要一个资源策略，因为我可以从AWS控制台创建网关，
我想知道如何通过CF模板添加资源策略-

以下是资源策略的夸张定义-

x-amazon-apigateway-policy:
  Version: "2012-10-17"
  Statement:
  - Effect: "Deny"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
    Condition:
      StringNotEquals:
        aws:sourceVpc: "vpc-xxxxx"
  - Effect: "Allow"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"

AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack

Resources:
   g2gPrivate:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      Name: 'private-gw'
      EndpointConfiguration:
        Types:
          - PRIVATE

如何在CF模板中配置它-

x-amazon-apigateway-policy:
  Version: "2012-10-17"
  Statement:
  - Effect: "Deny"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
    Condition:
      StringNotEquals:
        aws:sourceVpc: "vpc-xxxxx"
  - Effect: "Allow"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"

AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack

Resources:
   g2gPrivate:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      Name: 'private-gw'
      EndpointConfiguration:
        Types:
          - PRIVATE

参考-

您需要在与

名称

相同级别的键下提供策略（称为

策略

）

这需要以JSON格式提供

类似于

AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack

Resources:
   g2gPrivate:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      Name: 'private-gw'
      EndpointConfiguration:
        Types:
          - PRIVATE
      Policy: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Deny",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",
              "Condition": {
                "StringNotEquals": {
                  "aws:sourceVpc": "vpc-xxxxx"
                }
              }
            },
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"
            }
          ]
        }

如何在策略JSON中引用AWS AccountId和APIGateway？是否有方法使用Sub！来获取AWSAccountId，以及如何在JSON中引用同一网关的Id？是的，您可以使用！Sub。我已经更新了示例以使其正常工作。这里的一个小问题是，在策略中，

资源

属性需要APID

xxxx

part是API ID，因此在这个场景中，我需要首先创建网关，然后使用您共享的策略示例修改相同的资源吗？您可以使用通配符“*”例如

Arn:aws:execute API:us-east-1:${aws:：AccountId}，而不是在Arn中支持APID：*/*/*/*

这将是安全的，因为该策略与此API网关明确关联。不用担心。是的，我已经在CloudFormation和API网关方面做了一段时间了。它大部分都很好，但有时相当令人沮丧！