Is it possible for the Execution role in the API Gateway AWS Service integration config to inherit policy permissions from the running user.
Currently we are using a custom authorizer for API auth which as its output returns a policy document with statementOne.Action = 'execute-api:Invoke'. Is it possible to restrict or increase the permissions a API has when integrating API Gateway with other AWS services such as S3.
For example is it possible to have a custom authorizer with an API Gateway S3 proxy and set conditional IAM policy to only allow the userId (set via the principalId) to get S3 objects that are prefixed with their userId???
See execution role in this image from the AWS docs taken from here;
Yes, it is possible to pass through the IAM identity from the invoking user. You can do this by filling in
arn:aws:iam::*:user/*as execution role.More details can be found in the AWS docs