This directory contains example IAM policies for controlling access to the GCO manifest submission API through AWS API Gateway.
- Policy Templates
- Getting API Gateway Information
- Applying Policies
- Multi-Region Considerations
- Testing Permissions
- Troubleshooting
- Security Best Practices
Grants complete access to all manifest operations including:
- Submit new manifests (POST)
- List manifests (GET)
- Get manifest status (GET)
- Delete manifests (DELETE)
Use case: Platform administrators, CI/CD pipelines with full deployment permissions
How to use:
- Replace
ACCOUNT_IDwith your AWS account ID - Replace
API_IDwith your API Gateway ID (from CloudFormation outputs) - Attach to IAM users or roles that need full manifest management access
Grants read-only access to manifest operations:
- List manifests (GET)
- Get manifest status (GET)
Use case: Monitoring tools, read-only users, audit systems
How to use:
- Replace
ACCOUNT_IDwith your AWS account ID - Replace
API_IDwith your API Gateway ID (from CloudFormation outputs) - Attach to IAM users or roles that only need to query manifest status
Grants access to manifest operations within a specific namespace only:
- Submit manifests to specific namespace
- List manifests in specific namespace
- Get manifest status in specific namespace
- Delete manifests in specific namespace
Use case: Team-specific access, multi-tenant environments, least-privilege access
How to use:
- Replace
ACCOUNT_IDwith your AWS account ID - Replace
API_IDwith your API Gateway ID (from CloudFormation outputs) - Replace
NAMESPACEwith the Kubernetes namespace (e.g.,my-team-namespace) - Attach to IAM users or roles that should only access specific namespaces
To find your API Gateway ID and construct the correct ARNs:
# Get API Gateway ID from CloudFormation
aws cloudformation describe-stacks \
--stack-name gco-regional-us-east-1 \
--query 'Stacks[0].Outputs[?OutputKey==`ApiGatewayId`].OutputValue' \
--output text
# Get your AWS Account ID
aws sts get-caller-identity --query Account --output text# Create the policy
aws iam create-policy \
--policy-name GCOManifestFullAccess \
--policy-document file://full-access-policy.json
# Attach to user
aws iam attach-user-policy \
--user-name my-user \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/GCOManifestFullAccess# Attach to role (e.g., for EC2 instances or Lambda functions)
aws iam attach-role-policy \
--role-name my-role \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/GCOManifestFullAccess# Put inline policy directly on user
aws iam put-user-policy \
--user-name my-user \
--policy-name GCOManifestAccess \
--policy-document file://full-access-policy.jsonIf you have API Gateways deployed in multiple regions, you can use wildcards in the resource ARN:
"Resource": "arn:aws:execute-api:*:ACCOUNT_ID:*/*/POST/api/v1/manifests"Or specify regions explicitly:
"Resource": [
"arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/POST/api/v1/manifests",
"arn:aws:execute-api:us-west-2:ACCOUNT_ID:API_ID/*/POST/api/v1/manifests"
]After applying a policy, test access:
# Test with AWS CLI (uses your current credentials)
aws apigateway test-invoke-method \
--rest-api-id API_ID \
--resource-id RESOURCE_ID \
--http-method POST \
--path-with-query-string "/api/v1/manifests"Or use the client examples in docs/client-examples/ to test with real requests.
- Verify the policy is attached to your user/role
- Check that ACCOUNT_ID and API_ID are correct
- Ensure the resource ARN matches the endpoint you're calling
- Check CloudWatch Logs for detailed authorization failures
- This means the request is not signed with AWS SigV4
- Use AWS SDK or CLI which automatically signs requests
- See client examples for proper request signing
- Principle of Least Privilege: Start with read-only or namespace-restricted policies
- Use Roles for Applications: Prefer IAM roles over user credentials for applications
- Rotate Credentials: Regularly rotate IAM user access keys
- Monitor Access: Enable CloudTrail and review API Gateway access logs
- Namespace Isolation: Use namespace-restricted policies for multi-tenant scenarios