User: anonymous is not authorized with an explicit deny

0

Hi, I have a lambda function which, called from a regional Gateway API, works fine. I call it from my devel computer and it answers correctly.

But, I need this lambda to work only from my web app, which is in EC2 inside of a VPC. So I created a new private Gateway API with a com.amazonaws.us-east-1.execute-api endpoint (private DNS disabled) inside the VPC (with DNS enabled) where the EC2 instances are. The subnets for the endpoint are the same subnets for the EC2 instances.

I setup the resource policy following the white list for VPC origin example. Then I implemented the API.

I call the endpoint using its hostname (with curl), passing in the x-apigw-api-id header the API id, but I get:

{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**********:**/myStage/GET/myRes with an explicit deny"}

I don't know if this is caused by having the DNS enabled for the VPC and not for the endpoint, or if I need to change the subnets for the endpoint, or if there's another cause.

Any hint is appreciated. Thanks.

P.S. I followed this tutorial: https://aws.amazon.com/es/premiumsupport/knowledge-center/api-gateway-vpc-connections/

metayii
asked 5 years ago5774 views
1 Answer
1

Solved by tech support. I changed in the policy this line (sourceVpce instead of sourceVpc):

"StringNotEquals": {
"aws:sourceVpce": "<VPC_ENDPOINT_ID>"
}

to indicate that the source is a VPC endpoint, not a VPC.

metayii
answered 5 years ago
profile picture
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions