Missing Actions and Resources for API Gateway
Closed this issue · 1 comments
Actions, Resources, and Condition Keys for Amazon API Gateway documentation (list_amazonapigateway.md) is missing the execute-api:ManageConnections IAM action. See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-control-access-iam.html for more information.
In addition, the "Actions, Resources, and Condition Keys for Manage Amazon API Gateway" is missing all of the various API Gateway resources and their related actions. For example:
- apikey:
arn:${Partition}:apigateway:${Region}::/apikeys/${ApiKey} - authorizer:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers/${AuthorizerId} - basepathmapping:
arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings/${BasePath} - clientcertificate:
arn:${Partition}:apigateway:${Region}::/clientcertificates/${ClientCertificateId} - deployment:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments/${DeploymentId} - documentationpart:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts/${PartId} - documentationversion:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions/${DocVersion} - domainname:
arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName} - gatewayresponse:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses/${ResponseType - integration:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/methods/${HttpMethod}/integration - integrationresponse:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/methods/${HttpMethod}/integration/responses/${StatusCode} - method:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/methods/${HttpMethod} - methodresponse:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/methods/${HttpMethod}/responses/${StatusCode} - model:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models/${ModelName} - requestvalidator:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators/${RequestValidatorId} - resource:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId} - restapi:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId} - sdktype:
arn:${Partition}:apigateway:${Region}::/sdktypes/${SdkTypeId} - stage:
arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName} - tags:
arn:${Partition}:apigateway:${Region}::/tags/${ResourceArn} - usage:
arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys/${KeyId}/usage - usageplan:
arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId} - usageplankey:
arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys/${KeyId} - vpclink:
arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId}
Obviously API Gateway follows a different convention than most other services, but its resource structure is still well defined. The documentation for API Gateway and IAM has historically been light and finding a way to formally document this information centrally would help many teams who are managing its security.
https://docs.aws.amazon.com/apigateway/api-reference/link-relation/
I'm sorry that you're having trouble finding the information you need. The list of actions, resources, and conditions that we publish in the IAM user guide is automated based on content from each service. Thanks for letting us know that this service includes incorrect information. I will forward this information to the service's engineering team so that they can update the info.