API Gateway as Reverse HTTP Proxy to SQS
I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.
When I send a request to the gateway, I immediately get back
<?xml version="1.0"?> <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"> <Error> <Type>Sender</Type> <Code>AccessDenied</Code> <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message> <Detail/> </Error> <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId> </ErrorResponse>
However, when I switch the request URL to SQS directly (https://sqs.us-east-1.amazonaws.com) the request succeeds.
What am I missing?
curl --request POST 'https://my-api-gateway.com/sqs' \ --header 'X-Amz-Date: <date>' \ --header 'X-Amz-Security-Token: <token>' \ --header 'Authorization: <auth>' \ --header 'Amz-Sdk-Invocation-Id: <invocation>' \ --header 'Amz-Sdk-Request: attempt=1; max=10' \ --header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \ --header 'Content-Length: 206' \ --data-urlencode 'Action=ReceiveMessage' \ --data-urlencode 'MaxNumberOfMessages=10' \ --data-urlencode 'QueueUrl=<my-queue-url>' \ --data-urlencode 'Version=2012-11-05' \ --data-urlencode 'WaitTimeSeconds=20'
Configuration:
In this case it is required to configure an IAM Role for API Gateway to assume with the required sqs:SendMessage permission as API Gateway will drop the Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.
- The Authorization header is dropped if it contains a Signature Version 4 signature.
Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?
just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?
In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.
Relevant questions
AWS API Gateway with Amazon Cognito User Pools as authorizer
Accepted Answerasked 2 years agoAPI HTTP Gateway path rewrite question
asked 4 days agoAPI Gateway - Gateway response - HTTP API
Accepted Answerasked a year agoAWS API Gateway cannot connect to S3 bucket?
asked 3 years agoAmazon API Gateway Proxy - VPC Endpoint - NLB - Private DNS - Self-signed SSL
Accepted Answerasked 2 years agoAPI Gateway as Reverse HTTP Proxy to SQS
Accepted Answerasked 11 days agoBinary uploads to API Gateway Proxy with Lambda Integration
Accepted Answerasked 5 years agoTrying to use a single Amazon API Gateway endpoint to accept both HTTP and websocket requests
Accepted Answerasked 2 years agoAll permissions API gateway integrate SQS, POST returns queue AccessDenied
asked 4 years agoAWS Api gateway for REST API does not work with multi-level base path mapping
asked 3 months ago
Thanks! I missed that