http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
The API-executing Resource
expression has the following general
format:
where:
-
region
is the AWS region (such as
us-east-1
or *
for
all AWS regions) that corresponds to the deployed API for the
method.
-
account-id
is the 12-digit AWS account Id
of the REST API owner.
-
api-id
is the identifier API Gateway has assigned
to the API for the method. (*
can be used for all
APIs, regardless of the API's identifier.)
-
stage-name
is the name of the stage
associated with the method (*
can be used for all
stages, regardless of the stage's name.)
-
HTTP-VERB
is the HTTP verb for the method.
It can be one of the following: GET, POST, PUT, DELETE, PATCH, HEAD,
OPTIONS.
-
resource-path-specifier
is the path to the
desired method. (*
can be used for all
paths).
Some example resource expressions include:
-
arn:aws:execute-api:*:*:*
for any resource path
in any stage, for any API in any AWS region. (This is equivalent to
*
).
-
arn:aws:execute-api:us-east-1:*:*
for any
resource path in any stage, for any API in the AWS region of
us-east-1
.
-
arn:aws:execute-api:us-east-1:*:api-id
/*
for any resource path in any stage, for the API with the identifier of
api-id
in the AWS region of
us-east-1.
-
arn:aws:execute-api:us-east-1:*:api-id
/test
/*
for resource path in the stage of test
, for the API
with the identifier of api-id
in the AWS
region of us-east-1.
-
arn:aws:execute-api:us-east-1:*:api-id
/test
/*/mydemoresource/*
for any resource path along the path of
mydemoresource
, for any HTTP method in
the stage of test
, for the API with the identifier
of api-id
in the AWS region of
us-east-1.
-
arn:aws:execute-api:us-east-1:*:api-id
/test
/GET/mydemoresource/*
for GET methods under any resource path along the path of
mydemoresource
, in the stage of
test
, for the API with the identifier of
api-id
in the AWS region of
us-east-1.