View a markdown version of this page

Actions, resources, and condition keys for Amazon API Gateway Management - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon API Gateway Management

Amazon API Gateway Management (service prefix: apigateway) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon API Gateway Management

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateApiKey

apigateway:POST

Write

apigateway:PUT

Write

CreateAuthorizer

apigateway:POST

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

CreateBasePathMapping

apigateway:POST

Write

CreateDeployment

apigateway:POST

Write

CreateDocumentationPart

apigateway:POST

Write

CreateDocumentationVersion

apigateway:POST

Write

CreateDomainName

apigateway:AddCertificateToDomain

Permissions management, Write

apigateway:POST

Write

apigateway:PUT

Write

apigateway:UpdateDomainNamePolicy

Permissions management, Write

CreateDomainNameAccessAssociation

apigateway:CreateAccessAssociation

Permissions management, Write

apigateway:POST

Write

apigateway:PUT

Write

CreateModel

apigateway:POST

Write

CreateRequestValidator

apigateway:POST

Write

CreateResource

apigateway:POST

Write

CreateRestApi

apigateway:POST

Write

apigateway:PUT

Write

apigateway:UpdateRestApiPolicy

Permissions management, Write

CreateStage

apigateway:POST

Write

apigateway:PUT

Write

CreateUsagePlan

apigateway:POST

Write

apigateway:PUT

Write

CreateUsagePlanKey

apigateway:POST

Write

CreateVpcLink

apigateway:POST

Write

apigateway:PUT

Write

DeleteApiKey

apigateway:DELETE

Write

DeleteAuthorizer

apigateway:DELETE

Write

DeleteBasePathMapping

apigateway:DELETE

Write

DeleteClientCertificate

apigateway:DELETE

Write

DeleteDeployment

apigateway:DELETE

Write

DeleteDocumentationPart

apigateway:DELETE

Write

DeleteDocumentationVersion

apigateway:DELETE

Write

DeleteDomainName

apigateway:DELETE

Write

apigateway:RemoveCertificateFromDomain

Permissions management, Write

DeleteDomainNameAccessAssociation

apigateway:DELETE

Write

DeleteGatewayResponse

apigateway:DELETE

Write

DeleteIntegration

apigateway:DELETE

Write

DeleteIntegrationResponse

apigateway:DELETE

Write

DeleteMethod

apigateway:DELETE

Write

DeleteMethodResponse

apigateway:DELETE

Write

DeleteModel

apigateway:DELETE

Write

DeleteRequestValidator

apigateway:DELETE

Write

DeleteResource

apigateway:DELETE

Write

DeleteRestApi

apigateway:DELETE

Write

DeleteStage

apigateway:DELETE

Write

DeleteUsagePlan

apigateway:DELETE

Write

DeleteUsagePlanKey

apigateway:DELETE

Write

DeleteVpcLink

apigateway:DELETE

Write

FlushStageAuthorizersCache

apigateway:DELETE

Write

FlushStageCache

apigateway:DELETE

Write

GenerateClientCertificate

apigateway:POST

Write

apigateway:PUT

Write

GetAccount

apigateway:GET

Read

GetApiKey

apigateway:GET

Read

GetApiKeys

apigateway:GET

Read

GetAuthorizer

apigateway:GET

Read

GetAuthorizers

apigateway:GET

Read

GetBasePathMapping

apigateway:GET

Read

GetBasePathMappings

apigateway:GET

Read

GetClientCertificate

apigateway:GET

Read

GetClientCertificates

apigateway:GET

Read

GetDeployment

apigateway:GET

Read

GetDeployments

apigateway:GET

Read

GetDocumentationPart

apigateway:GET

Read

GetDocumentationParts

apigateway:GET

Read

GetDocumentationVersion

apigateway:GET

Read

GetDocumentationVersions

apigateway:GET

Read

GetDomainName

apigateway:GET

Read

GetDomainNameAccessAssociations

apigateway:GET

Read

GetDomainNames

apigateway:GET

Read

GetExport

apigateway:GET

Read

GetGatewayResponse

apigateway:GET

Read

GetGatewayResponses

apigateway:GET

Read

GetIntegration

apigateway:GET

Read

GetIntegrationResponse

apigateway:GET

Read

GetMethod

apigateway:GET

Read

GetMethodResponse

apigateway:GET

Read

GetModel

apigateway:GET

Read

GetModelTemplate

apigateway:GET

Read

GetModels

apigateway:GET

Read

GetRequestValidator

apigateway:GET

Read

GetRequestValidators

apigateway:GET

Read

GetResource

apigateway:GET

Read

GetResources

apigateway:GET

Read

GetRestApi

apigateway:GET

Read

GetRestApis

apigateway:GET

Read

GetSdk

apigateway:GET

Read

GetSdkType

apigateway:GET

Read

GetSdkTypes

apigateway:GET

Read

GetStage

apigateway:GET

Read

GetStages

apigateway:GET

Read

GetTags

apigateway:GET

Read

GetUsage

apigateway:GET

Read

GetUsagePlan

apigateway:GET

Read

GetUsagePlanKey

apigateway:GET

Read

GetUsagePlanKeys

apigateway:GET

Read

GetUsagePlans

apigateway:GET

Read

GetVpcLink

apigateway:GET

Read

GetVpcLinks

apigateway:GET

Read

ImportApiKeys

apigateway:POST

Write

ImportDocumentationParts

apigateway:PUT

Write

ImportRestApi

apigateway:POST

Write

apigateway:UpdateRestApiPolicy

Permissions management, Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

PutGatewayResponse

apigateway:PUT

Write

PutIntegration

apigateway:PUT

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

PutIntegrationResponse

apigateway:PUT

Write

PutMethod

apigateway:PUT

Write

PutMethodResponse

apigateway:PUT

Write

PutRestApi

apigateway:PUT

Write

apigateway:UpdateRestApiPolicy

Permissions management, Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

RejectDomainNameAccessAssociation

apigateway:RejectAccessAssociation

Permissions management, Write

TagResource

apigateway:PATCH

Write

apigateway:POST

Write

apigateway:PUT

Write

TestInvokeAuthorizer

apigateway:POST

Write

TestInvokeMethod

apigateway:POST

Write

UntagResource

apigateway:DELETE

Write

apigateway:PATCH

Write

UpdateAccount

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateApiKey

apigateway:PATCH

Write

UpdateAuthorizer

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateBasePathMapping

apigateway:PATCH

Write

UpdateClientCertificate

apigateway:PATCH

Write

UpdateDeployment

apigateway:PATCH

Write

UpdateDocumentationPart

apigateway:PATCH

Write

UpdateDocumentationVersion

apigateway:PATCH

Write

UpdateDomainName

apigateway:AddCertificateToDomain

Permissions management, Write

apigateway:PATCH

Write

apigateway:RemoveCertificateFromDomain

Permissions management, Write

apigateway:UpdateDomainNameManagementPolicy

Permissions management, Write

apigateway:UpdateDomainNamePolicy

Permissions management, Write

UpdateGatewayResponse

apigateway:PATCH

Write

UpdateIntegration

apigateway:PATCH

Write

iam:PassRole

iam:PassedToService

apigateway.amazonaws.com

Write

UpdateIntegrationResponse

apigateway:PATCH

Write

UpdateMethod

apigateway:PATCH

Write

UpdateMethodResponse

apigateway:PATCH

Write

UpdateModel

apigateway:PATCH

Write

UpdateRequestValidator

apigateway:PATCH

Write

UpdateResource

apigateway:PATCH

Write

UpdateRestApi

apigateway:PATCH

Write

apigateway:UpdateRestApiPolicy

Permissions management, Write

UpdateStage

apigateway:PATCH

Write

UpdateUsage

apigateway:PATCH

Write

UpdateUsagePlan

apigateway:PATCH

Write

UpdateVpcLink

apigateway:PATCH

Write

Actions defined by Amazon API Gateway Management

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AddCertificateToDomain

Grants permission to add certificates for mutual TLS authentication to a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS

DomainName

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

Permissions management, Write

DomainNames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

CreateAccessAssociation

Grants permission to create an access association from an access association source to a custom domain name for private APIs

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

Permissions management, Write

DELETE

Grants permission to delete a particular resource

ApiKey

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

Authorizer

apigateway:Request/AuthorizerType

apigateway:Resource/AuthorizerType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

BasePathMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ClientCertificate

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationPart

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationVersion

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DomainName

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DomainNameAccessAssociation

aws:RequestTag/${TagKey}

aws:TagKeys

GatewayResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Method

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

MethodResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateBasePathMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RequestValidator

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Resource

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RestApi

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tags

aws:RequestTag/${TagKey}

aws:TagKeys

Template

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlan

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlanKey

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLink

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

GET

Grants permission to read a particular resource

Account

Read

ApiKey

aws:ResourceTag/${TagKey}

ApiKeys

aws:ResourceTag/${TagKey}

Authorizer

apigateway:Request/AuthorizerType

apigateway:Resource/AuthorizerType

aws:ResourceTag/${TagKey}

Authorizers

apigateway:Request/AuthorizerType

aws:ResourceTag/${TagKey}

BasePathMapping

aws:ResourceTag/${TagKey}

BasePathMappings

aws:ResourceTag/${TagKey}

ClientCertificate

aws:ResourceTag/${TagKey}

ClientCertificates

aws:ResourceTag/${TagKey}

Deployment

aws:ResourceTag/${TagKey}

Deployments

apigateway:Request/StageName

aws:ResourceTag/${TagKey}

DocumentationPart

aws:ResourceTag/${TagKey}

DocumentationParts

aws:ResourceTag/${TagKey}

DocumentationVersion

aws:ResourceTag/${TagKey}

DocumentationVersions

aws:ResourceTag/${TagKey}

DomainName

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

DomainNameAccessAssociations

apigateway:Request/AccessAssociationSource

apigateway:Request/DomainNameArn

aws:ResourceTag/${TagKey}

DomainNames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

GatewayResponse

aws:ResourceTag/${TagKey}

GatewayResponses

aws:ResourceTag/${TagKey}

Integration

aws:ResourceTag/${TagKey}

IntegrationResponse

aws:ResourceTag/${TagKey}

Method

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

MethodResponse

aws:ResourceTag/${TagKey}

Model

aws:ResourceTag/${TagKey}

Models

aws:ResourceTag/${TagKey}

PrivateBasePathMapping

aws:ResourceTag/${TagKey}

PrivateBasePathMappings

aws:ResourceTag/${TagKey}

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

RequestValidator

aws:ResourceTag/${TagKey}

RequestValidators

aws:ResourceTag/${TagKey}

Resource

aws:ResourceTag/${TagKey}

Resources

aws:ResourceTag/${TagKey}

RestApi

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

RestApis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

aws:ResourceTag/${TagKey}

Sdk

aws:ResourceTag/${TagKey}

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Tags

UsagePlan

aws:ResourceTag/${TagKey}

UsagePlanKey

aws:ResourceTag/${TagKey}

UsagePlanKeys

aws:ResourceTag/${TagKey}

UsagePlans

aws:ResourceTag/${TagKey}

VpcLink

aws:ResourceTag/${TagKey}

VpcLinks

aws:ResourceTag/${TagKey}

PATCH

Grants permission to update a particular resource

Account

aws:RequestTag/${TagKey}

aws:TagKeys

Write

ApiKey

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Authorizer

apigateway:Request/AuthorizerType

apigateway:Resource/AuthorizerType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

BasePathMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ClientCertificate

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationPart

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationVersion

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DomainName

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

GatewayResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Method

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

MethodResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateBasePathMapping

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RequestValidator

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Resource

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RestApi

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Template

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlan

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlanKey

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLink

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

POST

Grants permission to create a particular resource

ApiKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

Authorizers

apigateway:Request/AuthorizerType

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

BasePathMappings

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ClientCertificates

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Deployments

apigateway:Request/StageName

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationParts

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DocumentationVersions

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DomainNameAccessAssociations

apigateway:Request/AccessAssociationSource

apigateway:Request/DomainNameArn

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

DomainNames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

GatewayResponses

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

MethodResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Models

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateBasePathMappings

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RequestValidators

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Resources

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RestApis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlanKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UsagePlans

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

VpcLinks

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PUT

Grants permission to update a particular resource

DocumentationPart

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

GatewayResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

IntegrationResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

MethodResponse

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RestApi

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tags

aws:RequestTag/${TagKey}

aws:TagKeys

RejectAccessAssociation

Grants permission to reject an existing access association owned by another account to a custom domain name for private APIs

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

Permissions management, Write

RemoveCertificateFromDomain

Grants permission to remove certificates for mutual TLS authentication from a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS

DomainName

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

Permissions management, Write

DomainNames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

SetWebACL

Grants permission to set a WAF access control list (ACL). This is an additional authorization control for managing the Stage resource due to the sensitive nature of WebAcl's

Stage

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Permissions management, Write

Stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:ResourceTag/${TagKey}

UpdateDomainNameManagementPolicy

Grants permission to update the management policy of a custom domain name for private APIs

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

Permissions management, Write

UpdateDomainNamePolicy

Grants permission to update the invoke policy of a custom domain name for private APIs

DomainNames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

Permissions management, Write

PrivateDomainName

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

UpdateRestApiPolicy

Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy

RestApi

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

Permissions management, Write

RestApis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

aws:ResourceTag/${TagKey}

Resource types defined by Amazon API Gateway Management

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Account

arn:${Partition}:apigateway:${Region}::/account

ApiKey

arn:${Partition}:apigateway:${Region}::/apikeys/${ApiKeyId}

aws:ResourceTag/${TagKey}

ApiKeys

arn:${Partition}:apigateway:${Region}::/apikeys

aws:ResourceTag/${TagKey}

Authorizer

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers/${AuthorizerId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers/${AuthorizerId}

apigateway:Request/AuthorizerType

apigateway:Resource/AuthorizerType

aws:ResourceTag/${TagKey}

Authorizers

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers

apigateway:Request/AuthorizerType

aws:ResourceTag/${TagKey}

BasePathMapping

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings/${BasePath}

aws:ResourceTag/${TagKey}

BasePathMappings

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings

aws:ResourceTag/${TagKey}

ClientCertificate

arn:${Partition}:apigateway:${Region}::/clientcertificates/${ClientCertificateId}

aws:ResourceTag/${TagKey}

ClientCertificates

arn:${Partition}:apigateway:${Region}::/clientcertificates

aws:ResourceTag/${TagKey}

Deployment

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments/${DeploymentId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments/${DeploymentId}

aws:ResourceTag/${TagKey}

Deployments

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments

apigateway:Request/StageName

aws:ResourceTag/${TagKey}

DocumentationPart

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts/${DocumentationPartId}

aws:ResourceTag/${TagKey}

DocumentationParts

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts

aws:ResourceTag/${TagKey}

DocumentationVersion

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions/${DocumentationVersionId}

aws:ResourceTag/${TagKey}

DocumentationVersions

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions

aws:ResourceTag/${TagKey}

DomainName

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/EndpointType

apigateway:Resource/MtlsTrustStoreUri

apigateway:Resource/MtlsTrustStoreVersion

apigateway:Resource/RoutingMode

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

DomainNameAccessAssociation

arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations/domainname/${DomainName}/${SourceType}/${SourceId}

DomainNameAccessAssociations

arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations

apigateway:Request/AccessAssociationSource

apigateway:Request/DomainNameArn

aws:ResourceTag/${TagKey}

DomainNames

arn:${Partition}:apigateway:${Region}::/domainnames

apigateway:Request/EndpointType

apigateway:Request/MtlsTrustStoreUri

apigateway:Request/MtlsTrustStoreVersion

apigateway:Request/SecurityPolicy

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

GatewayResponse

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses/${ResponseType}

aws:ResourceTag/${TagKey}

GatewayResponses

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses

aws:ResourceTag/${TagKey}

Integration

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration

aws:ResourceTag/${TagKey}

IntegrationResponse

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses/${IntegrationResponseId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration/responses/${StatusCode}

aws:ResourceTag/${TagKey}

Method

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}

apigateway:Request/ApiKeyRequired

apigateway:Request/RouteAuthorizationType

apigateway:Resource/ApiKeyRequired

apigateway:Resource/RouteAuthorizationType

aws:ResourceTag/${TagKey}

MethodResponse

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/responses/${StatusCode}

aws:ResourceTag/${TagKey}

Model

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models/${ModelName}

aws:ResourceTag/${TagKey}

Models

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models

aws:ResourceTag/${TagKey}

PrivateBasePathMapping

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}+${DomainIdentifier}/basepathmappings/${BasePath}

aws:ResourceTag/${TagKey}

PrivateBasePathMappings

arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}+${DomainIdentifier}/basepathmappings

aws:ResourceTag/${TagKey}

PrivateDomainName

arn:${Partition}:apigateway:${Region}:${Account}:/domainnames/${DomainName}+${DomainIdentifier}

apigateway:Request/EndpointType

apigateway:Resource/EndpointType

apigateway:Resource/RoutingMode

aws:ResourceTag/${TagKey}

RequestValidator

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators/${RequestValidatorId}

aws:ResourceTag/${TagKey}

RequestValidators

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators

aws:ResourceTag/${TagKey}

Resource

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}

aws:ResourceTag/${TagKey}

Resources

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources

aws:ResourceTag/${TagKey}

RestApi

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

apigateway:Resource/ApiKeyRequired

apigateway:Resource/ApiName

apigateway:Resource/AuthorizerType

apigateway:Resource/DisableExecuteApiEndpoint

apigateway:Resource/EndpointType

apigateway:Resource/RouteAuthorizationType

apigateway:Resource/SecurityPolicy

aws:ResourceTag/${TagKey}

RestApis

arn:${Partition}:apigateway:${Region}::/restapis

apigateway:Request/ApiKeyRequired

apigateway:Request/ApiName

apigateway:Request/AuthorizerType

apigateway:Request/DisableExecuteApiEndpoint

apigateway:Request/EndpointType

apigateway:Request/RouteAuthorizationType

apigateway:Request/SecurityPolicy

aws:ResourceTag/${TagKey}

Sdk

arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName}/sdks/${SdkType}

aws:ResourceTag/${TagKey}

Stage

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName}

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

apigateway:Resource/AccessLoggingDestination

apigateway:Resource/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Stages

arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages, arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages

apigateway:Request/AccessLoggingDestination

apigateway:Request/AccessLoggingFormat

aws:ResourceTag/${TagKey}

Tags

arn:${Partition}:apigateway:${Region}::/tags/${UrlEncodedResourceARN}

Template

arn:${Partition}:apigateway:${Region}::/restapis/models/${ModelName}/template

aws:ResourceTag/${TagKey}

UsagePlan

arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}

aws:ResourceTag/${TagKey}

UsagePlanKey

arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys/${Id}

aws:ResourceTag/${TagKey}

UsagePlanKeys

arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys

aws:ResourceTag/${TagKey}

UsagePlans

arn:${Partition}:apigateway:${Region}::/usageplans

aws:ResourceTag/${TagKey}

VpcLink

arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId}

aws:ResourceTag/${TagKey}

VpcLinks

arn:${Partition}:apigateway:${Region}::/vpclinks

aws:ResourceTag/${TagKey}

Condition keys for Amazon API Gateway Management

Amazon API Gateway Management defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

apigateway:Request/AccessAssociationSource

Filters access by access association source. Available during the CreateDomainNameAccessAssociation operation

String

apigateway:Request/AccessLoggingDestination

Filters access by access log destination. Available during the CreateStage and UpdateStage operations

String

apigateway:Request/AccessLoggingFormat

Filters access by access log format. Available during the CreateStage and UpdateStage operations

String

apigateway:Request/ApiKeyRequired

Filters access by whether an API key is required or not. Available during the CreateMethod and PutMethod operations. Also available as a collection during import and reimport

ArrayOfBool

apigateway:Request/ApiName

Filters access by API name. Available during the CreateRestApi and UpdateRestApi operations

String

apigateway:Request/AuthorizerType

Filters access by type of authorizer in the request, for example TOKEN, REQUEST, JWT. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString

ArrayOfString

apigateway:Request/DisableExecuteApiEndpoint

Filters access by status of the default execute-api endpoint. Available during the CreateRestApi and DeleteRestApi operations

Bool

apigateway:Request/DomainNameArn

Filters access by domain name ARN. Available during the CreateDomainNameAccessAssociation operation

ARN

apigateway:Request/EndpointType

Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateRestApi, and UpdateRestApi operations

ArrayOfString

apigateway:Request/MtlsTrustStoreUri

Filters access by URI of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/MtlsTrustStoreVersion

Filters access by version of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/RouteAuthorizationType

Filters access by authorization type, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the CreateMethod and PutMethod operations Also available as a collection during import

ArrayOfString

apigateway:Request/RoutingMode

Filters access by routing mode of the domain name. Available during the CreateDomainName and UpdateDomainName operations

String

apigateway:Request/SecurityPolicy

Filters access by TLS version. Available during the CreateDomain and UpdateDomain operations

ArrayOfString

apigateway:Request/StageName

Filters access by stage name of the deployment that you attempt to create. Available during the CreateDeployment operation

String

apigateway:Resource/AccessLoggingDestination

Filters access by access log destination of the current Stage resource. Available during the UpdateStage and DeleteStage operations

String

apigateway:Resource/AccessLoggingFormat

Filters access by access log format of the current Stage resource. Available during the UpdateStage and DeleteStage operations

String

apigateway:Resource/ApiKeyRequired

Filters access by whether an API key is required or not for the existing Method resource. Available during the PutMethod and DeleteMethod operations. Also available as a collection during reimport

ArrayOfBool

apigateway:Resource/ApiName

Filters access by API name of the existing RestApi resource. Available during UpdateRestApi and DeleteRestApi operations

String

apigateway:Resource/AuthorizerType

Filters access by the current type of authorizer, for example TOKEN, REQUEST, JWT. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during reimport as an ArrayOfString

ArrayOfString

apigateway:Resource/DisableExecuteApiEndpoint

Filters access by status of the default execute-api endpoint of the current RestApi resource. Available during UpdateRestApi and DeleteRestApi operations

Bool

apigateway:Resource/EndpointType

Filters access by endpoint type. Available during the UpdateDomainName, DeleteDomainName, UpdateRestApi, and DeleteRestApi operations

ArrayOfString

apigateway:Resource/MtlsTrustStoreUri

Filters access by URI of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/MtlsTrustStoreVersion

Filters access by version of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/RouteAuthorizationType

Filters access by authorization type of the existing Method resource, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the PutMethod and DeleteMethod operations. Also available as a collection during reimport

ArrayOfString

apigateway:Resource/RoutingMode

Filters access by routing mode of the domain name. Available during the UpdateDomainName and DeleteDomainName operations

String

apigateway:Resource/SecurityPolicy

Filters access by TLS version. Available during UpdateDomain and DeleteDomain operations

ArrayOfString

aws:RequestTag/${TagKey}

Filters access by the tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags attached to the resource

String

aws:TagKeys

Filters access by the tag keys in the request

ArrayOfString