I strongly believe that this has something to do with the ARN format.
I have created a rest API with just a put action and this API would upload files to S3 bucket.
I have created an IAM user called integration_test. Now I want this user to only have one permission which is access to the above api and only allow PUT action. If I grant this user the AWS managed ApiGatewayInvokeFullAccess it works.
This is what I got so far.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"apigateway:PUT"
],
"Resource": "arn:aws-us-gov:apigateway:us-gov-west-1::/api/account-id:api:id/stages/dev/PUT/*"
}
]
}
Also want to put out that I am on the AWS GOV cloud.
UPDATE - After trying out Willis answer -
If I remove that colon I see an error appearing on the edit screen.
As far as I can see, the action
apigateway:PUThas no impact because the resource does not belong to the apigateway action.And I would say that your resource is wrong, see https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html. Check out the syntax and correct it like
arn:aws-us-gov:execute-api:us-gov-west-1::<api-id>/dev/PUT/*