AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

API Gateway as Reverse HTTP Proxy to SQS

0

I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.

When I send a request to the gateway, I immediately get back

<?xml version="1.0"?>
  <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
    <Error>
      <Type>Sender</Type>
      <Code>AccessDenied</Code>
      <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message>
      <Detail/>
    </Error>
    <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId>
  </ErrorResponse>

However, when I switch the request URL to SQS directly (https://sqs.us-east-1.amazonaws.com) the request succeeds.

What am I missing?

curl --request POST 'https://my-api-gateway.com/sqs' \
--header 'X-Amz-Date: <date>' \
--header 'X-Amz-Security-Token: <token>' \
--header 'Authorization: <auth>' \
--header 'Amz-Sdk-Invocation-Id: <invocation>' \
--header 'Amz-Sdk-Request: attempt=1; max=10' \
--header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \
--header 'Content-Length: 206' \
--data-urlencode 'Action=ReceiveMessage' \
--data-urlencode 'MaxNumberOfMessages=10' \
--data-urlencode 'QueueUrl=<my-queue-url>' \
--data-urlencode 'Version=2012-11-05' \
--data-urlencode 'WaitTimeSeconds=20'

Configuration:

  1. Integrations
  2. Routes
  3. Parameter Mappings
トピック
サーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信アプリケーション統合
タグ
Amazon API GatewayAmazon Simple Queue Service
言語
English
austinarbor
質問済み 2年前951ビュー
2回答
1
承認された回答

In this case it is required to configure an IAM Role for API Gateway to assume with the required sqs:SendMessage permission as API Gateway will drop the Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.

  • The Authorization header is dropped if it contains a Signature Version 4 signature.
Matthias Pichler
回答済み 2年前
0

Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?

profile pictureAWS
エキスパート
Indranil Banerjee AWS
回答済み 2年前
  • austinarbor
    2年前

    just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?

  • Indranil Banerjee AWS エキスパート
    2年前

    In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ