I have an API gateway with different stages (prod and dev), one for production and latter for development.
In-order to restrict access and deployments to prod stage, I have set following IAM policy for a dev user,
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"execute-api:*",
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:eu-central-1::/restapis/6mvx7om366/stages/dev",
"arn:aws:apigateway:eu-central-1::/restapis/6mvx7om366/stages",
"arn:aws:apigateway:eu-central-1::/restapis",
"arn:aws:apigateway:eu-central-1::/restapis/6mvx7om366",
"arn:aws:apigateway:eu-central-1::/restapis/6mvx7om366/deployments",
.....
....
]
}
where 6mvx7om366 is the API id.
This shows the prod stage for the user in console, but restricts to edit any config of it.(happy with that)
But dev user is then able to do deployments to the prod stage. I was indeed hoping for an arn like,
"arn:aws:apigateway:eu-central-1::/restapis/6mvx7om366/deployments/stages/dev"
But looks like there isn't. Is there any work-around?
