By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Synthetics Canary keeps failing with 403 error

0

I cannot get canary to hit api gateway endpoint. I keep getting an error below. I can hit the api using postman without authentication key so not sure why I can't do the same using synthetic canary. The API is within the same account as the canary also if this helps. Please can anyone help me with this? (Arn changed for privacy so please ignore this fact.)

{"message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********2234:54354534534/test/GET/mezzanine with an explicit deny"}

The code I have for the canary is:

const synthetics = require('Synthetics'); const log = require('SyntheticsLogger'); const syntheticsConfiguration = synthetics.getConfiguration();

const apiCanaryBlueprint = async function () {

syntheticsConfiguration.setConfig({
    restrictedHeaders: [], // Value of these headers will be redacted from logs and reports
    restrictedUrlParameters: [] // Values of these url parameters will be redacted from logs and reports
});

// Handle validation for positive scenario
const validateSuccessful = async function(res) {
    return new Promise((resolve, reject) => {
        if (res.statusCode < 200 || res.statusCode > 299) {
            throw new Error(res.statusCode + ' ' + res.statusMessage);
        }

        let responseBody = '';
        res.on('data', (d) => {
            responseBody += d;
        });

        res.on('end', () => {
            // Add validation on 'responseBody' here if required.
            resolve();
        });
    });
};


// Set request option for Verify https://453453453.execute-api.us-east-1.amazonaws.com
let requestOptionsStep1 = {
    hostname: '4534535.execute-api.us-east-1.amazonaws.com',
    method: 'GET',
    path: '/test/mezzanine',
    port: '443',
    protocol: 'https:',
    body: "",
    headers: {"health":"true"}
};
requestOptionsStep1['headers']['User-Agent'] = [synthetics.getCanaryUserAgentString(), requestOptionsStep1['headers']['User-Agent']].join(' ');

// Set step config option for Verify https://5345345345435.execute-api.us-east-1.amazonaws.com

let stepConfig1 = { includeRequestHeaders: true, includeResponseHeaders: true, includeRequestBody: true, includeResponseBody: true, continueOnHttpStepFailure: true };

await synthetics.executeHttpStep('Verify https://45345334535.execute-api.us-east-1.amazonaws.com', requestOptionsStep1, validateSuccessful, stepConfig1);

};

exports.handler = async () => { return await apiCanaryBlueprint(); };

For the API I have no Auth on and the resource Policy is:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:us-east-1:34324234234234:343243242///" }, { "Effect": "Deny", "Principal": "", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:us-east-1:3432434234:434324234///", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "23.23.23.23/32", "23.23.23.23/32", "23.23.23.23/32" ] } } } ] }

I have also tried leaving the resource policy blank and also with the below code but still cannot get this canary to work.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:us-east-1:4534534543:4543534543534///" } ] }

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryManagement & Governance
Tags
Amazon API GatewayAmazon CloudWatch Synthetics
Language
English
rePost-User-1495231
asked a year ago694 views
3 Answers
1

Hi There

Have you run through the troubleshooting steps here?

Also is this canary running in a vpc? if so does your VPC have internet access? See here

The canary being in the same account as the API Gateway doesn't matter too much, you would still need to make sure the canary has the appropriate permissions and networking

profile pictureAWS
EXPERT
Matt-B
answered a year ago
0

got it working, thank you, it looks like the software guys had not got the api set up properly

rePost-User-1495231
answered a year ago
  • tsiu
    a year ago

    Hi there, I'm curious what your software guys set up to get the synthetics working? I have exactly the same scenario with the exception that I verified the Synthetic call succeeds against our API GW REST API when I temporarily removed the "Deny" statement from our resource policy. Our resource policy also has a "Deny" to explicitly block all traffic coming from outside our VPN. Our Synthetic is running in the same account as our API GW, which is a regional endpoint type. I'm a little confused over how I can additionally unblock traffic from CW Synthetic in addition to keeping my existing inbound traffic limited to our VPN. I've tried use "aws.SourceVPC", but that didn't work and I think that only applies private API GW endpoints. Any suggestions on how else I might debug this? And yes, I did look through the troubleshooting doc and could not find anything which helps me. Thanks!

0

In addition, can you check to make sure the end of your IAM permissions for execute-api:Invoke Resource is /*

AWS
hungstep
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content