Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Private API Gateway 403 errors

0

I'm toying with API gateway and have run into an issue in which one account gets a 403 Forbidden Error. VPCE's are setup in two accounts. The Account where the api gateway and one of the VPCE's resides works just fine, however the second account does not. The forbidden message is just that "Forbidden" so very unhelpful. Any ideas on how to resolve the 403's?

Calling it like so:

curl -v https://vpce-0c868a4b1293a28b5-6gi9t6mm.execute-api.us-east-1.vpce.amazonaws.com/dev -H 'Host: abc123defg.execute-api.us-east-1.amazonaws.com'

Resource policy is as follows (I did replace the account id and actual api id with something random):

vpce-078ec1da4e3a0deb3 = VPCE in account where API gateway resides. vpce-0c868a4b1293a28b5 = VPCE in secondary account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:123456789123:abc123defg/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": [
                        "vpce-0925a8e90cbab6f12",
                        "vpce-078ec1da4e3a0deb3",
                        "vpce-0c868a4b1293a28b5"
                    ],
                    "aws:SourceIP": [
                        "10.0.0.0/8",
                        "63.237.3.169/32"
                    ],
                    "aws:sourceVpc": "vpc-06f730a7eb116c752"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:1234567891323:abc123defg/*"
        }
    ]
}
Themen
Vernetzung & Bereitstellung von InhaltenServerlosFrontend-Web & Mobile
Tags
Amazon VPCAmazon API-Gateway
Sprache
English
raithedavion
gefragt vor einem Jahr397 Aufrufe
3 Antworten
0
Akzeptierte Antwort

Hi,

Apart that you can troubleshoot further here: https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce, Can you try to invoke the api gw as https://<api-gw-id>-<vpce-url> As described in “associate/disassociate” section in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html?

Let me know

profile picture
EXPERTE
Antonio_Lagrotteria
beantwortet vor einem Jahr
0

I've followed those steps and I'm still getting 403 errors. I actually followed them before I posted. No matter the calling method, I always get 403 Forbidden error when calling from the secondary account. Note, I have to use the public DNS in some cases due to non-vpc systems having to call the gateway.

UPDATE: I did just do yet another re-deploy and tried the <apiid>.execute-api.us-east-1.amazonaws.com method and it worked from within the secondary account VPC. Now I just need to make it work via the public DNS.

raithedavion
beantwortet vor einem Jahr
0

And now the public is working too. Maybe I forgot to re-deploy or I'm just really bad at copy pasta on Friday. Thanks alatech.

raithedavion
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt