API Gateway as Reverse HTTP Proxy to SQS
I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.
When I send a request to the gateway, I immediately get back
<?xml version="1.0"?> <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"> <Error> <Type>Sender</Type> <Code>AccessDenied</Code> <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message> <Detail/> </Error> <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId> </ErrorResponse>
However, when I switch the request URL to SQS directly (
https://sqs.us-east-1.amazonaws.com) the request succeeds.
What am I missing?
curl --request POST 'https://my-api-gateway.com/sqs' \ --header 'X-Amz-Date: <date>' \ --header 'X-Amz-Security-Token: <token>' \ --header 'Authorization: <auth>' \ --header 'Amz-Sdk-Invocation-Id: <invocation>' \ --header 'Amz-Sdk-Request: attempt=1; max=10' \ --header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \ --header 'Content-Length: 206' \ --data-urlencode 'Action=ReceiveMessage' \ --data-urlencode 'MaxNumberOfMessages=10' \ --data-urlencode 'QueueUrl=<my-queue-url>' \ --data-urlencode 'Version=2012-11-05' \ --data-urlencode 'WaitTimeSeconds=20'
In this case it is required to configure an IAM Role for API Gateway to assume with the required
sqs:SendMessage permission as API Gateway will drop the
Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.
- The Authorization header is dropped if it contains a Signature Version 4 signature.
Thanks! I missed that
Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?
just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?
In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.
AWS API Gateway with Amazon Cognito User Pools as authorizerAccepted Answerasked 2 years ago
API HTTP Gateway path rewrite questionasked 4 days ago
API Gateway - Gateway response - HTTP APIAccepted Answerasked a year ago
AWS API Gateway cannot connect to S3 bucket?asked 3 years ago
Amazon API Gateway Proxy - VPC Endpoint - NLB - Private DNS - Self-signed SSLAccepted Answerasked 2 years ago
API Gateway as Reverse HTTP Proxy to SQSAccepted Answerasked 11 days ago
Binary uploads to API Gateway Proxy with Lambda IntegrationAccepted Answerasked 5 years ago
Trying to use a single Amazon API Gateway endpoint to accept both HTTP and websocket requestsAccepted Answerasked 2 years ago
All permissions API gateway integrate SQS, POST returns queue AccessDeniedasked 4 years ago
AWS Api gateway for REST API does not work with multi-level base path mappingasked 3 months ago