资源策略网关-IAM [英] Resource Policy Gateway - IAM

问题描述

我在AWS API Gateway中设置了以下资源策略以将IP范围列入白名单:

I've setup the following Resource Policy in my AWS API Gateway to whitelist an IP range:

该策略正常运行，但是现在我必须将同一策略应用于同一帐户中的某些网关(不是所有网关)，并且将来可能需要在该列表中包含更多IP；因此，我将需要一一修改网关中的资源策略.

The policy is working properly, however now I have to apply the same policy to some Gateways (not all of them) within the same account and potentially in the future I will need to include more IPs in that list; So I will need to modify the resource policy in the Gateways one by one..

为了解决此问题，我想在IAM中设置一个策略并将该策略应用于某些网关.我在IAM中创建了以下策略:

In order to fix that, I want to setup a policy in IAM and apply that policy to some gateways. I've created the following policy in IAM:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "35.192.0.0/12"
                }
            }
        }
    ]
}

但是，我找不到将其附加到网关的方法.我尝试设置角色，但是API Gateway服务不允许我附加该策略.

However I cannot find the way to attach it to the Gateways. I've tried to setup a role, but the API Gateway service does not allow me to attach that policy.

是否有创建IP白名单策略并将其立即附加到某些网关的信息?基本上，我正在寻找一种方法可以在一处修改IP白名单并将其动态地应用于我的某些网关.

Is there anyway to create a IP whitelist policy and attach them to some gateways at once? Basically I'm looking for a way to modify the IP whitelist in one place and apply it dynamically to some of my gateways.

谢谢

推荐答案

API网关的策略是一种资源策略，IAM策略只能附加到用户，组和角色.

The policy for API Gateway is a resource policy, the IAM policy can only be attached to users, groups and roles.

如果您想重复使用，则需要将此方法应用于每个API网关资源策略.

You will need to apply this to each API Gateways resource policy, if you want to reuse try looking at IaC.

这篇关于资源策略网关-IAM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！