anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:********:dfdfddfdf/dev/GET/health

Question

I am trying to set up cloudwatch synthetics canary to monitor and health check
API gateway apis, but keep getting error: 
{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:********:0dkemydfdf/dev/GET/health"}

I have resource policy set up for API endpoint and I have tried numerous ways to allow the traffic from the cloudwatch synthetics canary, but none of them works.

Without resource policy it works. My question is how to identify the calling user and whitelist it in the resource policy.

Anyone got any idea?

Sagar_T · Answer

The error message {"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:********:0dkemydfdf/dev/GET/health"} suggests that the CloudWatch Synthetics canary is trying to invoke your API Gateway API anonymously, and the resource policy is denying access to the anonymous user.

To allow the CloudWatch Synthetics canary to access your API Gateway API, you need to identify the principal or the caller identity that the canary uses, and then grant access to that principal in your API Gateway resource policy.

The CloudWatch Synthetics canary uses the delivery.logs.amazonaws.com service principal to invoke your API Gateway API. To grant access, you need to add a statement to your API Gateway resource policy that allows the delivery.logs.amazonaws.com service principal to invoke your API.

Here's an example of how you can modify your API Gateway resource policy to allow access to the CloudWatch Synthetics canary:
________________________________________________________________
`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:YOUR_ACCOUNT_ID:API_ID/*/GET/health"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:YOUR_ACCOUNT_ID:API_ID/*/GET/health",
            "Condition": {
                "StringNotEquals": {
                    "aws:SourceVpc": "YOUR_VPC_ID"
                }
            }
        }
    ]
}`
____________________________________________________________
In this example:

> The first statement allows the delivery.logs.amazonaws.com service principal to invoke the GET /health endpoint of your API Gateway API.

> The second statement denies all other principals (*) from invoking the GET /health endpoint, unless they are coming from a specific VPC (replace YOUR_VPC_ID with your VPC ID).

Make sure to replace YOUR_ACCOUNT_ID, API_ID, and YOUR_VPC_ID with your actual AWS account ID, API Gateway API ID, and VPC ID, respectively.

After updating the resource policy, the CloudWatch Synthetics canary should be able to invoke your API Gateway API without any authorization issues.

In case the issue still persists, then create a Support Case and reach out to AWS Support so that the team can look into your account specific setting and help troubleshoot.

Good Day!

anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:********:dfdfddfdf/dev/GET/health

Add your answer

Relevant content