View a markdown version of this page

Actions, resources, and condition keys for Amazon API Gateway Management V2 - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon API Gateway Management V2

Amazon API Gateway Management V2 (service prefix: apigateway) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon API Gateway Management V2

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateApi

apigateway:POST

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

CreateApiMapping

apigateway:POST

Write

CreateAuthorizer

apigateway:POST

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

CreateDeployment

apigateway:POST

Write

CreateDomainName

apigateway:AddCertificateToDomain

Permissions management, Write

apigateway:POST

Write

apigateway:PUT

Write

apigateway:UpdateDomainNamePolicy

Permissions management, Write

CreateIntegration

apigateway:POST

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

CreateIntegrationResponse

apigateway:POST

Write

CreateModel

apigateway:POST

Write

CreatePortal

apigateway:CreatePortal

Write

apigateway:GetPortalProduct

Read

apigateway:POST

Write

CreatePortalProduct

apigateway:CreatePortalProduct

Write

apigateway:POST

Write

CreateProductPage

apigateway:CreateProductPage

Write

CreateProductRestEndpointPage

apigateway:CreateProductRestEndpointPage

Write

CreateRoute

apigateway:POST

Write

CreateRouteResponse

apigateway:POST

Write

CreateRoutingRule

apigateway:CreateRoutingRule

Write

CreateStage

apigateway:POST

Write

apigateway:PUT

Write

CreateVpcLink

apigateway:POST

Write

apigateway:PUT

Write

DeleteAccessLogSettings

apigateway:DELETE

Write

DeleteApi

apigateway:DELETE

Write

DeleteApiMapping

apigateway:DELETE

Write

DeleteAuthorizer

apigateway:DELETE

Write

DeleteCorsConfiguration

apigateway:DELETE

Write

DeleteDeployment

apigateway:DELETE

Write

DeleteDomainName

apigateway:DELETE

Write

apigateway:RemoveCertificateFromDomain

Permissions management, Write

DeleteIntegration

apigateway:DELETE

Write

DeleteIntegrationResponse

apigateway:DELETE

Write

DeleteModel

apigateway:DELETE

Write

DeletePortal

apigateway:DeletePortal

Write

DeletePortalProduct

apigateway:DeletePortalProduct

Write

DeletePortalProductSharingPolicy

apigateway:DeletePortalProductSharingPolicy

Permissions management, Write

DeleteProductPage

apigateway:DeleteProductPage

Write

DeleteProductRestEndpointPage

apigateway:DeleteProductRestEndpointPage

Write

DeleteRoute

apigateway:DELETE

Write

DeleteRouteRequestParameter

apigateway:DELETE

Write

DeleteRouteResponse

apigateway:DELETE

Write

DeleteRouteSettings

apigateway:DELETE

Write

DeleteRoutingRule

apigateway:DeleteRoutingRule

Write

DeleteStage

apigateway:DELETE

Write

DeleteVpcLink

apigateway:DELETE

Write

DisablePortal

apigateway:DisablePortal

Write

ExportApi

apigateway:GET

Read

GetApi

apigateway:GET

Read

GetApiMapping

apigateway:GET

Read

GetApiMappings

apigateway:GET

Read

GetApis

apigateway:GET

Read

GetAuthorizer

apigateway:GET

Read

GetAuthorizers

apigateway:GET

Read

GetDeployment

apigateway:GET

Read

GetDeployments

apigateway:GET

Read

GetDomainName

apigateway:GET

Read

GetDomainNames

apigateway:GET

Read

GetIntegration

apigateway:GET

Read

GetIntegrationResponse

apigateway:GET

Read

GetIntegrationResponses

apigateway:GET

Read

GetIntegrations

apigateway:GET

Read

GetModel

apigateway:GET

Read

GetModelTemplate

apigateway:GET

Read

GetModels

apigateway:GET

Read

GetPortal

apigateway:GetPortal

Read

GetPortalProduct

apigateway:GetPortalProduct

Read

GetPortalProductSharingPolicy

apigateway:GetPortalProductSharingPolicy

Read

GetProductPage

apigateway:GetProductPage

Read

GetProductRestEndpointPage

apigateway:GetProductRestEndpointPage

Read

GetRoute

apigateway:GET

Read

GetRouteResponse

apigateway:GET

Read

GetRouteResponses

apigateway:GET

Read

GetRoutes

apigateway:GET

Read

GetRoutingRule

apigateway:GetRoutingRule

Read

GetStage

apigateway:GET

Read

GetStages

apigateway:GET

Read

GetTags

apigateway:GET

Read

GetVpcLink

apigateway:GET

Read

GetVpcLinks

apigateway:GET

Read

ImportApi

apigateway:POST

Write

apigateway:PUT

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

ListPortalProducts

apigateway:ListPortalProducts

List

ListPortals

apigateway:ListPortals

List

ListProductPages

apigateway:ListProductPages

List

ListProductRestEndpointPages

apigateway:ListProductRestEndpointPages

List

ListRoutingRules

apigateway:ListRoutingRules

List

PreviewPortal

apigateway:GetPortalProduct

Read

apigateway:PreviewPortal

Write

PublishPortal

apigateway:GetPortalProduct

Read

apigateway:PublishPortal

Write

PutPortalProductSharingPolicy

apigateway:PutPortalProductSharingPolicy

Permissions management, Write

PutRoutingRule

apigateway:UpdateRoutingRule

Write

ReimportApi

apigateway:DELETE

Write

apigateway:POST

Write

apigateway:PUT

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

ResetAuthorizersCache

apigateway:DELETE

Write

TagResource

apigateway:PATCH

Write

apigateway:POST

Write

apigateway:PUT

Write

UntagResource

apigateway:DELETE

Write

apigateway:PATCH

Write

UpdateApi

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateApiMapping

apigateway:PATCH

Write

UpdateAuthorizer

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateDeployment

apigateway:PATCH

Write

UpdateDomainName

apigateway:AddCertificateToDomain

Permissions management, Write

apigateway:PATCH

Write

apigateway:RemoveCertificateFromDomain

Permissions management, Write

apigateway:UpdateDomainNameManagementPolicy

Permissions management, Write

apigateway:UpdateDomainNamePolicy

Permissions management, Write

UpdateIntegration

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateIntegrationResponse

apigateway:PATCH

Write

UpdateModel

apigateway:PATCH

Write

UpdatePortal

apigateway:GetPortalProduct

Read

apigateway:UpdatePortal

Write

UpdatePortalProduct

apigateway:UpdatePortalProduct

Write

UpdateProductPage

apigateway:UpdateProductPage

Write

UpdateProductRestEndpointPage

apigateway:UpdateProductRestEndpointPage

Write

UpdateRoute

apigateway:PATCH

Write

UpdateRouteResponse

apigateway:PATCH

Write

UpdateStage

apigateway:PATCH

Write

UpdateVpcLink

apigateway:PATCH

Write

Actions defined by Amazon API Gateway Management V2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreatePortal

Grants permission to create a Portal

Portal*

apigateway:Request/CognitoUserPoolArn

apigateway:Request/PortalDisplayName

apigateway:Request/PortalDomainName

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreatePortalProduct

Grants permission to create a Portal Product

PortalProduct*

apigateway:Request/PortalProductDisplayName

apigateway:Resource/PortalProductDisplayName

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateProductPage

Grants permission to create a Product Page

ProductPage*

apigateway:Request/ProductPageTitle

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

Write

CreateProductRestEndpointPage

Grants permission to create a Product REST Endpoint Page

ProductRestEndpointPage*

apigateway:Request/Method

apigateway:Request/ProductRestEndpointPageEndpointPrefix

apigateway:Request/RestApiId

apigateway:Request/Stage

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

Write

CreateRoutingRule

Grants permission to create a routing rule

RoutingRule*

apigateway:Request/ConditionBasePaths

apigateway:Request/Priority

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

Write

DELETE

Grants permission to delete a particular resource

AccessLogSettings

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

Api

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ApiMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Authorizer

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

AuthorizersCache

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Cors

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Route

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteRequestParameter

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteSettings

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLink

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DeletePortal

Grants permission to delete a Portal

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

Write

DeletePortalProduct

Grants permission to delete a Portal Product

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Write

DeletePortalProductSharingPolicy

Grants permission to delete a Portal Product Sharing Policy

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Permissions management, Write

DeleteProductPage

Grants permission to delete a Product Page

ProductPage*

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

Write

DeleteProductRestEndpointPage

Grants permission to delete a Product REST Endpoint Page

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Write

ProductRestEndpointPage*

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

DeleteRoutingRule

Grants permission to delete a routing rule

RoutingRule*

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

Write

DisablePortal

Grants permission to disable a Portal

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

Write

GET

Grants permission to read a particular resource

AccessLogSettings

aws:ResourceTag/${TagKey}

Read

Api

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

ApiMapping

aws:ResourceTag/${TagKey}

ApiMappings

aws:ResourceTag/${TagKey}

Apis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

aws:ResourceTag/${TagKey}

Authorizer

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

aws:ResourceTag/${TagKey}

Authorizers

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

aws:ResourceTag/${TagKey}

AuthorizersCache

aws:ResourceTag/${TagKey}

Cors

aws:ResourceTag/${TagKey}

Deployment

aws:ResourceTag/${TagKey}

Deployments

apigateway:Request/StageName

aws:ResourceTag/${TagKey}

ExportedAPI

aws:ResourceTag/${TagKey}

Integration

aws:ResourceTag/${TagKey}

IntegrationResponse

aws:ResourceTag/${TagKey}

IntegrationResponses

aws:ResourceTag/${TagKey}

Integrations

aws:ResourceTag/${TagKey}

Model

aws:ResourceTag/${TagKey}

ModelTemplate

aws:ResourceTag/${TagKey}

Models

aws:ResourceTag/${TagKey}

Route

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

RouteRequestParameter

aws:ResourceTag/${TagKey}

RouteResponse

aws:ResourceTag/${TagKey}

RouteResponses

aws:ResourceTag/${TagKey}

RouteSettings

aws:ResourceTag/${TagKey}

Routes

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

aws:ResourceTag/${TagKey}

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:ResourceTag/${TagKey}

VpcLink

aws:ResourceTag/${TagKey}

VpcLinks

aws:ResourceTag/${TagKey}

GetPortal

Grants permission to read a Portal

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

Read

GetPortalProduct

Grants permission to read a Portal Product

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Read

GetPortalProductSharingPolicy

Grants permission to read a Portal Product Sharing Policy

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Read

GetProductPage

Grants permission to read a Product Page

PortalProduct

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Read

ProductPage*

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

GetProductRestEndpointPage

Grants permission to read a Product REST Endpoint Page

PortalProduct

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Read

ProductRestEndpointPage*

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

GetRoutingRule

Grants permission to read a routing rule

RoutingRule*

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

Read

ListPortalProducts

Grants permission to list Portal Products

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

List

ListPortals

Grants permission to list Portals

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

List

ListProductPages

Grants permission to list Product Pages

PortalProduct

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

List

ProductPage*

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

ListProductRestEndpointPages

Grants permission to list Product REST Endpoint Pages

PortalProduct

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

List

ProductRestEndpointPage*

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

ListRoutingRules

Grants permission to list routing rules under a domain name

RoutingRule*

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

List

PATCH

Grants permission to update a particular resource

Api

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

ApiMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Authorizer

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Route

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteRequestParameter

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLink

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

POST

Grants permission to create a particular resource

ApiMappings

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

Apis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Authorizers

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployments

apigateway:Request/StageName

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponses

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integrations

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Models

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RouteResponses

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Routes

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLinks

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PUT

Grants permission to update a particular resource

Api

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

Apis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PreviewPortal

Grants permission to preview a Portal

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

Write

PublishPortal

Grants permission to publish a Portal

Portal*

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

Write

PutPortalProductSharingPolicy

Grants permission to put a Portal Product Sharing Policy

PortalProduct*

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

Permissions management, Write

UpdatePortal

Grants permission to update a Portal

Portal*

apigateway:Request/CognitoUserPoolArn

apigateway:Request/PortalDisplayName

apigateway:Request/PortalDomainName

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdatePortalProduct

Grants permission to update a Portal Product

PortalProduct*

apigateway:Request/PortalProductDisplayName

apigateway:Resource/PortalProductDisplayName

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateProductPage

Grants permission to update a Product Page

ProductPage*

apigateway:Request/ProductPageTitle

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

Write

UpdateProductRestEndpointPage

Grants permission to update a Product REST Endpoint Page

ProductRestEndpointPage*

apigateway:Request/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

Write

UpdateRoutingRule

Grants permission to update a routing rule using the PutRoutingRule API

RoutingRule*

apigateway:Request/ConditionBasePaths

apigateway:Request/Priority

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon API Gateway Management V2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

AccessLogSettings

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/accesslogsettings

aws:ResourceTag/${TagKey}

Api

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

ApiMapping

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/apimappings/${ApiMappingId}

aws:ResourceTag/${TagKey}

ApiMappings

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/apimappings

aws:ResourceTag/${TagKey}

Apis

arn:${Partition}:apigateway:${Region}::/apis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

aws:ResourceTag/${TagKey}

Authorizer

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers/${AuthorizerId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers/${AuthorizerId}

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

apigateway:Resource/AuthorizerType

apigateway:Resource/AuthorizerUri

aws:ResourceTag/${TagKey}

Authorizers

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers

apigateway:Request/AuthorizerType

apigateway:Request/AuthorizerUri

aws:ResourceTag/${TagKey}

AuthorizersCache

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/cache/authorizers

aws:ResourceTag/${TagKey}

Cors

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/cors

aws:ResourceTag/${TagKey}

Deployment

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments/${DeploymentId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments/${DeploymentId}

aws:ResourceTag/${TagKey}

Deployments

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments

apigateway:Request/StageName

aws:ResourceTag/${TagKey}

ExportedAPI

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/exports/${Specification}

aws:ResourceTag/${TagKey}

Integration

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration

aws:ResourceTag/${TagKey}

IntegrationResponse

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses/${IntegrationResponseId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration/responses/${StatusCode}

aws:ResourceTag/${TagKey}

IntegrationResponses

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses

aws:ResourceTag/${TagKey}

Integrations

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations

aws:ResourceTag/${TagKey}

Model

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models/${ModelName}

aws:ResourceTag/${TagKey}

ModelTemplate

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId}/template

aws:ResourceTag/${TagKey}

Models

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models

aws:ResourceTag/${TagKey}

Portal

arn:${Partition}:apigateway:${Region}:${Account}:/portals/${PortalId}

apigateway:Resource/CognitoUserPoolArn

apigateway:Resource/PortalDisplayName

apigateway:Resource/PortalDomainName

apigateway:Resource/PortalPublishStatus

aws:ResourceTag/${TagKey}

PortalProduct

arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}

apigateway:Resource/PortalProductDisplayName

aws:ResourceTag/${TagKey}

ProductPage

arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}/productpages/${ProductPageId}

apigateway:Resource/ProductPageTitle

aws:ResourceTag/${TagKey}

ProductRestEndpointPage

arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}/productrestendpointpages/${ProductRestEndpointPageId}

apigateway:Resource/Method

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

apigateway:Resource/RestApiId

apigateway:Resource/Stage

aws:ResourceTag/${TagKey}

Route

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

RouteRequestParameter

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/requestparameters/${RequestParameterKey}

aws:ResourceTag/${TagKey}

RouteResponse

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/routeresponses/${RouteResponseId}

aws:ResourceTag/${TagKey}

RouteResponses

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/routeresponses

aws:ResourceTag/${TagKey}

RouteSettings

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/routesettings/${RouteKey}

aws:ResourceTag/${TagKey}

Routes

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

aws:ResourceTag/${TagKey}

RoutingRule

arn:${Partition}:apigateway:${Region}:${Account}:/domainnames/${DomainName}/routingrules/${RoutingRuleId}

apigateway:Resource/ConditionBasePaths

apigateway:Resource/Priority

aws:ResourceTag/${TagKey}

Stage

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName}

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Stages

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:ResourceTag/${TagKey}

VpcLink

arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId}

aws:ResourceTag/${TagKey}

VpcLinks

arn:${Partition}:apigateway:${Region}::/vpclinks

aws:ResourceTag/${TagKey}

Condition keys for Amazon API Gateway Management V2

Amazon API Gateway Management V2 defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

apigateway:Request/AccessLoggingDestination

Filters access by access log destination. Available during the CreateStage and UpdateStage operations

String

apigateway:Request/AccessLoggingFormat

Filters access by access log format. Available during the CreateStage and UpdateStage operations

String

apigateway:Request/ApiKeyRequired

Filters access by the requirement of API. Available during the CreateRoute and UpdateRoute operations. Also available as a collection during import and reimport

ArrayOfBool

apigateway:Request/ApiName

Filters access by API name. Available during the CreateApi and UpdateApi operations

String

apigateway:Request/AuthorizerType

Filters access by type of authorizer in the request, for example REQUEST or JWT. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString

ArrayOfString

apigateway:Request/AuthorizerUri

Filters access by URI of a Lambda authorizer function. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString

ArrayOfString

apigateway:Request/CognitoUserPoolArn

Filters access by a Portal's CognitoUserPoolArn that is passed in the request

ARN

apigateway:Request/ConditionBasePaths

Filters access by base paths defined on the condition of a routing rule. Available during the CreateRoutingRule and UpdateRoutingRule operations

ArrayOfString

apigateway:Request/DisableExecuteApiEndpoint

Filters access by status of the default execute-api endpoint. Available during the CreateApi and UpdateApi operations

Bool

apigateway:Request/EndpointType

Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateApi, and UpdateApi operations

ArrayOfString

apigateway:Request/Method

Filters access by a ProductRestEndpointPage's HTTP Method that is passed in the request

String

apigateway:Request/MtlsTrustStoreUri

Filters access by URI of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/MtlsTrustStoreVersion

Filters access by version of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/PortalDisplayName

Filters access by a Portal's Display Name that is passed in the request

String

apigateway:Request/PortalDomainName

Filters access by a Portal's vanity domain name that is passed in the request

String

apigateway:Request/PortalProductDisplayName

Filters access by a PortalProduct's Display Name that is passed in the request

String

apigateway:Request/Priority

Filters access by priority of the routing rule. Available during the CreateRoutingRule and UpdateRoutingRule operations

Numeric

apigateway:Request/ProductPageTitle

Filters access by a ProductPage's Title that is passed in the request

String

apigateway:Request/ProductRestEndpointPageEndpointPrefix

Filters access by a ProductRestEndpointPage's EndpointPrefix that is passed in the request

String

apigateway:Request/RestApiId

Filters access by a ProductRestEndpointPage's Amazon API Gateway API ID that is passed in the request

String

apigateway:Request/RouteAuthorizationType

Filters access by authorization type, for example NONE, AWS_IAM, CUSTOM, JWT. Available during the CreateRoute and UpdateRoute operations. Also available as a collection during import

ArrayOfString

apigateway:Request/RoutingMode

Filters access by routing mode of the domain name. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/SecurityPolicy

Filters access by TLS version. Available during the CreateDomain and UpdateDomain operations

ArrayOfString

apigateway:Request/Stage

Filters access by a ProductRestEndpointPage's Amazon API Gateway Stage Name that is passed in the request

String

apigateway:Request/StageName

Filters access by stage name of the deployment that you attempt to create. Available during the CreateDeployment operation

String

apigateway:Resource/AccessLoggingDestination

Filters access by access log destination of the current Stage resource. Available during the UpdateStage and DeleteStage operations

String

apigateway:Resource/AccessLoggingFormat

Filters access by access log format of the current Stage resource. Available during the UpdateStage and DeleteStage operations

String

apigateway:Resource/ApiKeyRequired

Filters access by the requirement of API key for the existing Route resource. Available during the UpdateRoute and DeleteRoute operations. Also available as a collection during reimport

ArrayOfBool

apigateway:Resource/ApiName

Filters access by API name. Available during the UpdateApi and DeleteApi operations

String

apigateway:Resource/AuthorizerType

Filters access by the current type of authorizer, for example REQUEST or JWT. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during import and reimport as an ArrayOfString

ArrayOfString

apigateway:Resource/AuthorizerUri

Filters access by the URI of the current Lambda authorizer associated with the current API. Available during UpdateAuthorizer and DeleteAuthorizer. Also available as a collection during reimport

ArrayOfString

apigateway:Resource/CognitoUserPoolArn

Filters access by a Portal's CognitoUserPoolArn associated with the resource

ARN

apigateway:Resource/ConditionBasePaths

Filters access by base paths defined on the condition of the existing routing rule. Available during the UpdateRoutingRule and DeleteRoutingRule operations

ArrayOfString

apigateway:Resource/DisableExecuteApiEndpoint

Filters access by status of the default execute-api endpoint. Available during the UpdateApi and DeleteApi operations

Bool

apigateway:Resource/EndpointType

Filters access by endpoint type. Available during the UpdateDomainName, DeleteDomainName, UpdateApi, and DeleteApi operations

ArrayOfString

apigateway:Resource/Method

Filters access by a ProductRestEndpointPage's HTTP Method associated with the resource

String

apigateway:Resource/MtlsTrustStoreUri

Filters access by URI of the truststore used for mutual TLS authentication. Available during the UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/MtlsTrustStoreVersion

Filters access by version of the truststore used for mutual TLS authentication. Available during the UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/PortalDisplayName

Filters access by a Portal's Display Name associated with the resource

String

apigateway:Resource/PortalDomainName

Filters access by a Portal's vanity domain name associated with the resource

String

apigateway:Resource/PortalProductDisplayName

Filters access by a PortalProduct's Display Name associated with the resource

String

apigateway:Resource/PortalPublishStatus

Filters access by a Portal's published status associated with the resource

String

apigateway:Resource/Priority

Filters access by priority of the existing routing rule. Available during the UpdateRoutingRule and DeleteRoutingRule operations

Numeric

apigateway:Resource/ProductPageTitle

Filters access by a ProductPage's Title associated with the resource

String

apigateway:Resource/ProductRestEndpointPageEndpointPrefix

Filters access by a ProductRestEndpointPage's EndpointPrefix associated with the resource

String

apigateway:Resource/RestApiId

Filters access by a ProductRestEndpointPage's Amazon API Gateway API ID associated with the resource

String

apigateway:Resource/RouteAuthorizationType

Filters access by authorization type of the existing Route resource, for example NONE, AWS_IAM, CUSTOM. Available during the UpdateRoute and DeleteRoute operations. Also available as a collection during reimport

ArrayOfString

apigateway:Resource/RoutingMode

Filters access by routing mode of the existing domain name. Available during the UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/SecurityPolicy

Filters access by TLS version. Available during the UpdateDomainName and DeleteDomainName operations

ArrayOfString

apigateway:Resource/Stage

Filters access by a ProductRestEndpointPage's Amazon API Gateway Stage Name associated with the resource

String

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString