AWS::Location::APIKey ApiKeyRestrictions - Amazon CloudFormation
SyntaxProperties
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::Location::APIKey ApiKeyRestrictions

API Restrictions on the allowed actions, resources, and referers for an API key resource.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "AllowActions" : [ String, ... ],
  "AllowReferers" : [ String, ... ],
  "AllowResources" : [ String, ... ]
}

YAML

  AllowActions: 
    - String
  AllowReferers: 
    - String
  AllowResources: 
    - String

Properties

AllowActions

A list of allowed actions that an API key resource grants permissions to perform. You must have at least one action for each type of resource. For example, if you have a place resource, you must include at least one place action.

The following are valid values for the actions.

  • Map actions

    • geo:GetMap* - Allows all actions needed for map rendering.

  • Place actions

    • geo:SearchPlaceIndexForText - Allows geocoding.

    • geo:SearchPlaceIndexForPosition - Allows reverse geocoding.

    • geo:SearchPlaceIndexForSuggestions - Allows generating suggestions from text.

    • geo:GetPlace - Allows finding a place by place ID.

  • Route actions

    • geo:CalculateRoute - Allows point to point routing.

    • geo:CalculateRouteMatrix - Allows calculating a matrix of routes.

Note

You must use these strings exactly. For example, to provide access to map rendering, the only valid action is geo:GetMap* as an input to the list. ["geo:GetMap*"] is valid but ["geo:GetMapTile"] is not. Similarly, you cannot use ["geo:SearchPlaceIndexFor*"] - you must list each of the Place actions separately.

Required: Yes

Type: Array of String

Minimum: 5 | 1

Maximum: 200 | 7

Update requires: No interruption

AllowReferers

An optional list of allowed HTTP referers for which requests must originate from. Requests using this API key from other domains will not be allowed.

Requirements:

  • Contain only alphanumeric characters (A–Z, a–z, 0–9) or any symbols in this list $\-._+!*`(),;/?:@=&

  • May contain a percent (%) if followed by 2 hexadecimal digits (A-F, a-f, 0-9); this is used for URL encoding purposes.

  • May contain wildcard characters question mark (?) and asterisk (*).

    Question mark (?) will replace any single character (including hexadecimal digits).

    Asterisk (*) will replace any multiple characters (including multiple hexadecimal digits).

  • No spaces allowed. For example, https://example.com.

Required: No

Type: Array of String

Minimum: 1

Maximum: 253 | 5

Update requires: No interruption

AllowResources

A list of allowed resource ARNs that a API key bearer can perform actions on.

  • The ARN must be the correct ARN for a map, place, or route ARN. You may include wildcards in the resource-id to match multiple resources of the same type.

  • The resources must be in the same partition, region, and account-id as the key that is being created.

  • Other than wildcards, you must include the full ARN, including the arn, partition, service, region, account-id and resource-id delimited by colons (:).

  • No spaces allowed, even with wildcards. For example, arn:aws:geo:region:account-id:map/ExampleMap*.

For more information about ARN format, see Amazon Resource Names (ARNs).

Required: Yes

Type: Array of String

Minimum: 1

Maximum: 1600 | 5

Update requires: No interruption