AWS API Gateway ARN

Question

One of the things that drives me nuts is that AWS has loads of docs about the format of an ARN, but doesn't have any kind of generator to make you confident that the ARN is correct.

In IAM, I'm trying to set up a policy to allow access to an API Gateway and I've read the following docs about it:

• http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-using-iam-policies
• http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-apigateway
• http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html

But I can't get any ARN to validate, even just a wide open API Gateway ARN. See screenshot:

What am I doing wrong here?

Answer 1

From the documentation: To create an IAM policy using the Policy Generator in the IAM console, select Manage Amazon API Gateway as AWS Service to set permissions statements for apigateway and select Amazon API Gateway as AWS Service to set permission statements for execute-api.

If you are creating a policy to manage creating/editing your API, then you will need to select Manage - Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is apigateway)

arn:aws:apigateway:region::resource-path-specifier.

If you are creating a policy to manage invoking your API, then you will need to select Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is execute-api)

arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier.