Hi, I have a lambda function which, called from a regional Gateway API, works fine. I call it from my devel computer and it answers correctly.
But, I need this lambda to work only from my web app, which is in EC2 inside of a VPC. So I created a new private Gateway API with a com.amazonaws.us-east-1.execute-api endpoint (private DNS disabled) inside the VPC (with DNS enabled) where the EC2 instances are. The subnets for the endpoint are the same subnets for the EC2 instances.
I setup the resource policy following the white list for VPC origin example. Then I implemented the API.
I call the endpoint using its hostname (with curl), passing in the x-apigw-api-id header the API id, but I get:
{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**********:**/myStage/GET/myRes with an explicit deny"}
I don't know if this is caused by having the DNS enabled for the VPC and not for the endpoint, or if I need to change the subnets for the endpoint, or if there's another cause.
Any hint is appreciated. Thanks.
P.S. I followed this tutorial: https://aws.amazon.com/es/premiumsupport/knowledge-center/api-gateway-vpc-connections/