amazon-web-services - 如何使用 cloudformation 创建私有 AWS Api 网关?
问题描述
我正在尝试创建 PRIVATE 类型的 AWS API 网关,
这需要一个资源策略,因为我能够从 AWS 控制台创建网关,
所以我想知道如何通过 CF 添加资源策略模板 -
以下是资源策略的大摇大摆定义 -
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
Condition:
StringNotEquals:
aws:sourceVpc: "vpc-xxxxx"
- Effect: "Allow"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"
如何在 CF 模板中配置它 -
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
参考 -
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html
解决方案
您需要在密钥下提供策略(Policy与Name.
这需要以 JSON 格式提供。
就像是...
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
Policy: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-xxxxx"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"
}
]
}
推荐阅读
- ios - URLSession downloadTask(with:) 创建多个文件下载
- javascript - Javascript InnerHtml 来自
- reactjs - 无法将反应应用程序部署到谷歌应用程序引擎
- angular - 只为包输出和运行测试构建一次 Angular 9 项目
- javascript - 在 Angular 中打开新项目时折叠已经消耗的项目
- google-calendar-api - Google 日历 API 将会议数据返回为待处理
- reactjs - 找不到模块:无法解析“react-table/react-table.css”
- google-drive-api - Google Colab 磁盘空间与 Google Drive 磁盘空间
- maven-2 - 父 Pom 获取子 Pom/依赖的版本
- anaconda - 无法使用模块 pdftotext 构建独立的 .exe