AWS::Location::APIKey ApiKeyRestrictions - AWS CloudFormation
SyntaxProperties

AWS::Location::APIKey ApiKeyRestrictions

API Restrictions on the allowed actions, resources, and referers for an API key resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "AllowActions" : [ String, ... ],
  "AllowReferers" : [ String, ... ],
  "AllowResources" : [ String, ... ]
}

YAML

  AllowActions: 
    - String
  AllowReferers: 
    - String
  AllowResources: 
    - String

Properties

AllowActions

A list of allowed actions that an API key resource grants permissions to perform. You must have at least one action for each type of resource. For example, if you have a place resource, you must include at least one place action.

The following are valid values for the actions.

  • Map actions

    • geo:GetMap* - Allows all actions needed for map rendering.

  • Place actions

    • geo:SearchPlaceIndexForText - Allows geocoding.

    • geo:SearchPlaceIndexForPosition - Allows reverse geocoding.

    • geo:SearchPlaceIndexForSuggestions - Allows generating suggestions from text.

    • geo:GetPlace - Allows finding a place by place ID.

  • Route actions

    • geo:CalculateRoute - Allows point to point routing.

    • geo:CalculateRouteMatrix - Allows calculating a matrix of routes.

Note

You must use these strings exactly. For example, to provide access to map rendering, the only valid action is geo:GetMap* as an input to the list. ["geo:GetMap*"] is valid but ["geo:GetMapTile"] is not. Similarly, you cannot use ["geo:SearchPlaceIndexFor*"] - you must list each of the Place actions separately.

Required: Yes

Type: Array of String

Minimum: 5 | 1

Maximum: 200 | 24

Update requires: No interruption

AllowReferers

An optional list of allowed HTTP referers for which requests must originate from. Requests using this API key from other domains will not be allowed.

Requirements:

  • Contain only alphanumeric characters (A–Z, a–z, 0–9) or any symbols in this list $\-._+!*`(),;/?:@=&

  • May contain a percent (%) if followed by 2 hexadecimal digits (A-F, a-f, 0-9); this is used for URL encoding purposes.

  • May contain wildcard characters question mark (?) and asterisk (*).

    Question mark (?) will replace any single character (including hexadecimal digits).

    Asterisk (*) will replace any multiple characters (including multiple hexadecimal digits).

  • No spaces allowed. For example, https://example.com.

Required: No

Type: Array of String

Minimum: 1

Maximum: 253 | 5

Update requires: No interruption

AllowResources

A list of allowed resource ARNs that a API key bearer can perform actions on.

  • The ARN must be the correct ARN for a map, place, or route ARN. You may include wildcards in the resource-id to match multiple resources of the same type.

  • The resources must be in the same partition, region, and account-id as the key that is being created.

  • Other than wildcards, you must include the full ARN, including the arn, partition, service, region, account-id and resource-id delimited by colons (:).

  • No spaces allowed, even with wildcards. For example, arn:aws:geo:region:account-id:map/ExampleMap*.

For more information about ARN format, see Amazon Resource Names (ARNs).

Required: Yes

Type: Array of String

Minimum: 1

Maximum: 1600 | 8

Update requires: No interruption