AWS API GATEWAY POLICY - Anonymous is not authorized to perform: execute-api:Invoke on resource

Question

Hi I'm trying to add a policy to a public API gateway (which invokes a lambda) that will make it so that it only accepts traffic from our twingate (VPN) Ip and from the VPC environment IP that api lives in (ie: us-staging). 
I have read through a bunch of answers online where it tells you to redeploy and then hit the endpoint but that is also not working. I keep getting the following error no matter if i try to hit the endpoint from local while connected to VPN, or getting into a box that's running in the VPC environment and doing a curl.

"{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-eas...."

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:********5553:*******g3d/*/*/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "**.***.***.*/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:********5553:*******g3d/*/*/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "**.*.*.*/16"
        }
      }
    }
  ]
}
```

sp079 · Answer

Not an answer but setting up access logging to see the IP address and VPC id's of the requests hitting the api shows why it wasn't working since they don't match what I expect them to be based of the IPv4 CIDR blocks for the VPC's

AWS API GATEWAY POLICY - Anonymous is not authorized to perform: execute-api:Invoke on resource

Add your answer

Relevant content