Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Private API Gateway 403 errors

0

I'm toying with API gateway and have run into an issue in which one account gets a 403 Forbidden Error. VPCE's are setup in two accounts. The Account where the api gateway and one of the VPCE's resides works just fine, however the second account does not. The forbidden message is just that "Forbidden" so very unhelpful. Any ideas on how to resolve the 403's?

Calling it like so:

curl -v https://vpce-0c868a4b1293a28b5-6gi9t6mm.execute-api.us-east-1.vpce.amazonaws.com/dev -H 'Host: abc123defg.execute-api.us-east-1.amazonaws.com'

Resource policy is as follows (I did replace the account id and actual api id with something random):

vpce-078ec1da4e3a0deb3 = VPCE in account where API gateway resides. vpce-0c868a4b1293a28b5 = VPCE in secondary account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:123456789123:abc123defg/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": [
                        "vpce-0925a8e90cbab6f12",
                        "vpce-078ec1da4e3a0deb3",
                        "vpce-0c868a4b1293a28b5"
                    ],
                    "aws:SourceIP": [
                        "10.0.0.0/8",
                        "63.237.3.169/32"
                    ],
                    "aws:sourceVpc": "vpc-06f730a7eb116c752"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:1234567891323:abc123defg/*"
        }
    ]
}
Temas
Redes y entrega de contenidoSin servidorWeb y móvil front-end
Etiquetas
Amazon VPCAmazon API Gateway
Idioma
English
raithedavion
preguntada hace un año397 visualizaciones
3 Respuestas
0
Respuesta aceptada

Hi,

Apart that you can troubleshoot further here: https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce, Can you try to invoke the api gw as https://<api-gw-id>-<vpce-url> As described in “associate/disassociate” section in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html?

Let me know

profile picture
EXPERTO
Antonio_Lagrotteria
respondido hace un año
0

I've followed those steps and I'm still getting 403 errors. I actually followed them before I posted. No matter the calling method, I always get 403 Forbidden error when calling from the secondary account. Note, I have to use the public DNS in some cases due to non-vpc systems having to call the gateway.

UPDATE: I did just do yet another re-deploy and tried the <apiid>.execute-api.us-east-1.amazonaws.com method and it worked from within the secondary account VPC. Now I just need to make it work via the public DNS.

raithedavion
respondido hace un año
0

And now the public is working too. Maybe I forgot to re-deploy or I'm just really bad at copy pasta on Friday. Thanks alatech.

raithedavion
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante