API Gateway permission error with malformed ARN

I’m creating a simple API Gateway proxy:

functions:
    handler:
        handler: ./index.handler
        name: ${self:service}
        events:
            - http: GET hello

And I have StackTags defined. When I deploy I get the following error.

Serverless Error ---------------------------------------
 
  User: arn:aws:iam::XXXXXXXXXXX:user/myUser is not authorized to perform: apigateway:PUT on resource: arn:aws:apigateway:us-east-1::/tags/arn%3Aaws%3Aapigateway%3Aus-east-1%3A%3A%2Frestapis%2F9tsrzq5lo0%2Fstages%2Fdev

It successfully creates the API Gateway (without tags). Looks like the above might be trying to add tags. The ARN looks malformed with an encoded string appended to the end. We have a policy that looks like this:

{
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "apigateway:POST",
        "apigateway:PUT",
        "apigateway:DELETE",
        "apigateway:PATCH"
      ],
      "Resource": [
        "arn:aws:apigateway:*::/restapis*"
      ]
    },

The ARN that serverless is showing in the error does not match our resource since it is not a valid ARN. Am I missing something or is this a bug? This worked when our policy’s resource was *

Not a malformed ARN, just a format that I hadn’t seen before. We adjusted our Resource to include /tags and all is well.