From 650e57519fba185d7438168c5ae4a3df1d757642 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Thu, 30 Nov 2023 12:50:37 +1030 Subject: [PATCH 1/5] allow deploy user to get RestApi resources --- packages/serverless-deploy-iam/bin/app.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 6383826..aa9fd28 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -417,6 +417,11 @@ export class ServiceDeployIAM extends cdk.Stack { "apigateway:PATCH", ] }, + { + name: 'API_GATEWAY', + resources: [`arn:aws:apigateway:${region}::/restapis`], + actions: ['apigateway:GET'] + }, // The serverless-api-gateway-throttling requires PATCH access using the deploy user to update maxRequestsPerSecond and maxConcurrentRequests { name: 'API_GATEWAY', From b4380e6e1ca61988b32992c339563bae01d655aa Mon Sep 17 00:00:00 2001 From: Chris Park Date: Thu, 30 Nov 2023 12:59:30 +1030 Subject: [PATCH 2/5] allow deploy user to get RestApi resources --- packages/serverless-deploy-iam/bin/app.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index aa9fd28..1c4579b 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -419,7 +419,8 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: 'API_GATEWAY', - resources: [`arn:aws:apigateway:${region}::/restapis`], + prefix: `arn:aws:apigateway:${region}::/restapis`, + qualifiers: [`*/deployments`], actions: ['apigateway:GET'] }, // The serverless-api-gateway-throttling requires PATCH access using the deploy user to update maxRequestsPerSecond and maxConcurrentRequests From 7b89ac1168a32edd77f2f37eb4356443dbb23c05 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Thu, 30 Nov 2023 13:07:14 +1030 Subject: [PATCH 3/5] adjust delimiter for restapis to address resource name format --- packages/serverless-deploy-iam/bin/app.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 1c4579b..f91e635 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -418,9 +418,9 @@ export class ServiceDeployIAM extends cdk.Stack { ] }, { - name: 'API_GATEWAY', + name: 'API_GATEWAY_RESTAPIS', prefix: `arn:aws:apigateway:${region}::/restapis`, - qualifiers: [`*/deployments`], + qualifiers: [`/*/deployments`], actions: ['apigateway:GET'] }, // The serverless-api-gateway-throttling requires PATCH access using the deploy user to update maxRequestsPerSecond and maxConcurrentRequests @@ -525,6 +525,9 @@ export class ServiceDeployIAM extends cdk.Stack { case "STEP_FUNCTION": delimiter = ""; break; + case "API_GATEWAY_RESTAPIS": + delimiter = ""; + break; case "EVENT_BRIDGE": delimiter = ":"; break; From 1501f4a17315f9de1534240b04b0e78d469967d9 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Thu, 30 Nov 2023 13:18:04 +1030 Subject: [PATCH 4/5] allow deploy user to POST RestApi resources --- packages/serverless-deploy-iam/bin/app.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index f91e635..1d00d71 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -428,7 +428,8 @@ export class ServiceDeployIAM extends cdk.Stack { name: 'API_GATEWAY', resources: [`arn:aws:apigateway:${region}::/restapis/*/stages/*`], actions: [ - "apigateway:PATCH" + "apigateway:PATCH", + "apigateway:POST" ] } ] From 860ae136d0729960c73c6f30c965ec0f95814a37 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Thu, 30 Nov 2023 13:26:18 +1030 Subject: [PATCH 5/5] allow deploy user to POST RestApi stage resources --- packages/serverless-deploy-iam/bin/app.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 1d00d71..8d94f52 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -426,7 +426,8 @@ export class ServiceDeployIAM extends cdk.Stack { // The serverless-api-gateway-throttling requires PATCH access using the deploy user to update maxRequestsPerSecond and maxConcurrentRequests { name: 'API_GATEWAY', - resources: [`arn:aws:apigateway:${region}::/restapis/*/stages/*`], + prefix: `arn:aws:apigateway:${region}::/restapis/*/stages`, + qualifiers: [`*`], actions: [ "apigateway:PATCH", "apigateway:POST" @@ -526,6 +527,7 @@ export class ServiceDeployIAM extends cdk.Stack { case "STEP_FUNCTION": delimiter = ""; break; + case "API_GATEWAY": case "API_GATEWAY_RESTAPIS": delimiter = ""; break;