I have a CloudFormation template that includes an API Gateway configured using an OpenAPI 3.0 body. I would like to make the OpenAPI specification available to the users of my API. Ideally within a nice GUI but this answer suggests that's not possible. I do not want to set up a developer portal.
My CFT contains a DocumentationVersion element that creates documentation for the API.
According to this and this I should be able to download my documentation from a URL like
https://apigateway.[my_aws_region].amazonaws.com/restapis/[my_api_id]/stages/[my_api_stage]/exports/oas30
Indeed when I go to this URL I get something like
{"logref":"56f5173b-a329-11e9-a8d5-e97c525eb634","message":"Missing Authentication Token"}
Which suggests that this will work with the correct token.
This page shows that you can control access to API documentation with a policy. (Although oddly it says that the account_id to use is the one of the users you want to grant access to - is that correct?)
So I tried adding the following resource to my CFT:
"ApiDocumentationAccessPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Read access to API documentation restricted by IP",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:apigateway::",
{ "Ref": "AWS::AccountId" },
":/restapis/",
"*/documentation/*"
]
]
},
"Condition" : {
"IpAddress": {
"aws:SourceIp": ["xxx.xxx.xxx.xxx" ]
}
}
}
]
}
}
},
However, I still get "Missing Authentication Token". I am confident that the "condition" part is correct as it is used elsewhere in CFT.
Is what I want to do possible, and if so where am I going wrong?
EDIT Adding "Principal": "*" to the policy statement above and also moving it directly to the APIGateway's policy don't appear to help either.
