I have a lamdba function at account A that requests a private API at account B. There is a VPC Peering between VPC account A and VPC account B.
At account A I created a VPC endpoint (com.amazonaws.us-east-1.execute-api).
The API Gateway at account B, was created as Private, bonded to VPC at account B, created resource and method without any type of authentication and the method points to a Lambda function (account B) that does an insert on QLDB table.
The lambda is configured as proxy.
When I execute the test of API Gateway (account B), it executes with sucess the lambda function and inserts a document at QLDB table.
When I execute the lambda (at account A) requesting the API Gateway, I get this error message:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx
I've been trying to overcome this issue without success.
Thanks in advance,
Fernando Possebon
Hi kentrad, thanks for your post.
I changed the resource policy to this, deploy the API and I'm still getting the same error message.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": "execute-api: Invoke", "Resource": "execute-api:vpce-accountb.execute-api.us-east-1.vpce.amazonaws.com///" }, { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "execute-api:vpce-accounta.execute-api.us-east-1.vpce.amazonaws.com///" }, { "Effect": "Allow", "Principal": "", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "" } ] }
These vpc endpoints should be listed in the condition section of the resource policy attached to the API. See: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example