AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

API Gateway as Reverse HTTP Proxy to SQS

0

I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.

When I send a request to the gateway, I immediately get back

<?xml version="1.0"?>
  <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
    <Error>
      <Type>Sender</Type>
      <Code>AccessDenied</Code>
      <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message>
      <Detail/>
    </Error>
    <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId>
  </ErrorResponse>

However, when I switch the request URL to SQS directly (https://sqs.us-east-1.amazonaws.com) the request succeeds.

What am I missing?

curl --request POST 'https://my-api-gateway.com/sqs' \
--header 'X-Amz-Date: <date>' \
--header 'X-Amz-Security-Token: <token>' \
--header 'Authorization: <auth>' \
--header 'Amz-Sdk-Invocation-Id: <invocation>' \
--header 'Amz-Sdk-Request: attempt=1; max=10' \
--header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \
--header 'Content-Length: 206' \
--data-urlencode 'Action=ReceiveMessage' \
--data-urlencode 'MaxNumberOfMessages=10' \
--data-urlencode 'QueueUrl=<my-queue-url>' \
--data-urlencode 'Version=2012-11-05' \
--data-urlencode 'WaitTimeSeconds=20'

Configuration:

  1. Integrations
  2. Routes
  3. Parameter Mappings
주제
서버리스프론트엔드 웹 및 모바일네트워킹 및 콘텐츠 전송애플리케이션 통합
태그
아마존 API 게이트웨이아마존 심플 큐 서비스
언어
English
austinarbor
질문됨 2년 전951회 조회
2개 답변
1
수락된 답변

In this case it is required to configure an IAM Role for API Gateway to assume with the required sqs:SendMessage permission as API Gateway will drop the Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.

  • The Authorization header is dropped if it contains a Signature Version 4 signature.
Matthias Pichler
답변함 2년 전
0

Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?

profile pictureAWS
전문가
Indranil Banerjee AWS
답변함 2년 전
  • austinarbor
    2년 전

    just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?

  • Indranil Banerjee AWS 전문가
    2년 전

    In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠