API GW HTTP API: Cross Account Access via IAM

Question

Hi,

I have an **API-GW HTTP API** (in account A) that uses **IAM** auth. I'm trying to invoke that API using an **IAM role** from another account (account B)

I'm getting 403 responses when trying to invoke the **API-GW** from account B.
I'm able to successfully invoke it from its own account (account A).

The IAM role in **account B** has the following **policy**
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:*:ACCOUNT-A-ID:*"
            ],
            "Effect": "Allow"
        }
    ]
}
```

I have a "CrossAccountInvocationRole" in **account A**
with **Policy**
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "arn:aws:execute-api:*:ACCOUNT-A-ID:*/*/*/*"
        }
    ]
}
```
with **Trusted Entities**
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT-B-ID:role/role-name"
                    ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

My **APIGW IAM Role  in Account A** has the following **Policy**
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT-A-ID:role/CrossAccountInvocationRole",
            "Effect": "Allow"
        }
    ]
}
```

and **Trusted entities**
```{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

I tried attaching the above policy to the Lambda that is invoked by API-GW as well

To test, I used the AWS CLI `sts assume-role` to get credentials for the IAM role and then used those credentials in a Lambda in account B as well as the Postman application. Both gave me 403 errors.

Question:
1. Is it even possible to do cross account invocation on an API GW HTTP API with IAM?
2. If yes, what an I doing wrong?

Answer

Hi,

I understand you want to cross account invocation on an API GW HTTP API with IAM but you are getting an “403 error”. The 403 error means the caller isn't authorized to access an API that's using a Lambda authorizer. To answer your questions, yes you can do cross account invocation on an API GW HTTP API with IAM.  Firstly you will have to create a Lambda authorizer [1], you use a Lambda authorizer to use a Lambda function to control access to your HTTP API[2]. You will then configure a cross-account Lambda authorizer using the API Gateway console [3]. The methods you used before were meant for control access for invoking an API hence the reason you were successfully invoke it from its own account “(account A)”.

Refer to the references

[1] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.example-create

[2] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html

[3] https://docs.amazonaws.cn/en_us/apigateway/latest/developerguide/apigateway-lambda-authorizer-cross-account-lambda-authorizer.html

[4] https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

Answer

Please follow this document for your use-case:
https://repost.aws/knowledge-center/api-gateway-iam-cross-account

API GW HTTP API: Cross Account Access via IAM

関連するコンテンツ