User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx

0

I have a lamdba function at account A that requests a private API at account B. There is a VPC Peering between VPC account A and VPC account B.

At account A I created a VPC endpoint (com.amazonaws.us-east-1.execute-api).

The API Gateway at account B, was created as Private, bonded to VPC at account B, created resource and method without any type of authentication and the method points to a Lambda function (account B) that does an insert on QLDB table.

The lambda is configured as proxy.

When I execute the test of API Gateway (account B), it executes with sucess the lambda function and inserts a document at QLDB table. When I execute the lambda (at account A) requesting the API Gateway, I get this error message:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx 

I've been trying to overcome this issue without success.

Thanks in advance,

Fernando Possebon

1 Answer
0

Make sure that the resource policy on the API lists both VPC Endpoints. For an example see: Use the AWS CLI to associate VPC endpoint with a private REST API

profile picture
EXPERT
kentrad
answered 13 days ago
  • Hi kentrad, thanks for your post.

    I changed the resource policy to this, deploy the API and I'm still getting the same error message.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": "execute-api: Invoke", "Resource": "execute-api:vpce-accountb.execute-api.us-east-1.vpce.amazonaws.com///" }, { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "execute-api:vpce-accounta.execute-api.us-east-1.vpce.amazonaws.com///" }, { "Effect": "Allow", "Principal": "", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "" } ] }

  • These vpc endpoints should be listed in the condition section of the resource policy attached to the API. See: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions