Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AccessDenied when calling InvokeRestApi in MWAA private webserver environment (VPC)

0

Hello!! We upgraded to version 3.0.6 and we now need to access the metadata DB in some DAGs. Using the API looks like to be the only option. Our MWAA env is configured with a private webserver inside a VPC.

The IAM role of the environemnt has permissions to use the function, but as you can see below the task fails even though it is running inside a worker (which is obviously inside the VPC).

import boto3

client = boto3.client('mwaa')

response = client.invoke_rest_api(
    Name='string',
    Path='string',
    Method='GET'
)

Error:

Task failed with exception: source="task"
AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeRestApi operation: Private webserver environments can only call InvokeRestApi within a VPC

Does anyone know how to solve this or what exactly I should ask the SecOps/DevOps team to enable (as I do not have direct access to the environment configuration)? Thanks!!

Topics
Application IntegrationServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon Managed Workflows for Apache Airflow (MWAA)VPC Virtual Private GatewayAmazon VPCAmazon API Gateway
Language
English
asked 2 months ago100 views
2 Answers
0

Hello.

It seems that you need to set up a VPC endpoint as explained in the answer at the URL below.
https://repost.aws/questions/QUcklm08auQjqdOQiOS9a7WA/lambda-access-to-the-mwaa-restful-api-on-a-private-vpc#ANHfQ2Eb4NSDCUmpyeRH3eTA

Please try setting up the VPC endpoint described in the following document to see if it improves the situation.
https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-vpe-create-access.html#vpc-vpe-create-view-endpoints-attach-aa:~:text=Create%20endpoint.-,VPC%20endpoints%20required%20for%20Apache%20Airflow,-The%20following%20section

EXPERT
answered 2 months ago
0

To resolve the MWAA invoke_rest_api issue in a private environment, first check whether your private subnets have NAT or outbound internet access that allows the MWAA worker nodes to reach the API endpoint. com.amazonaws.<region>.airflow.env.

If there is no internet access, the recommended approach is to use a VPC Interface Endpoint for MWAA. This allows the source MWAA private node to communicate with the destination MWAA managed endpoint securely through the AWS backbone network using PrivateLink, without requiring internet connectivity.

This ensures invoke_rest_api calls succeed while keeping the environment fully private.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content