By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Private API Gateway 403 errors

0

I'm toying with API gateway and have run into an issue in which one account gets a 403 Forbidden Error. VPCE's are setup in two accounts. The Account where the api gateway and one of the VPCE's resides works just fine, however the second account does not. The forbidden message is just that "Forbidden" so very unhelpful. Any ideas on how to resolve the 403's?

Calling it like so:

curl -v https://vpce-0c868a4b1293a28b5-6gi9t6mm.execute-api.us-east-1.vpce.amazonaws.com/dev -H 'Host: abc123defg.execute-api.us-east-1.amazonaws.com'

Resource policy is as follows (I did replace the account id and actual api id with something random):

vpce-078ec1da4e3a0deb3 = VPCE in account where API gateway resides. vpce-0c868a4b1293a28b5 = VPCE in secondary account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:123456789123:abc123defg/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": [
                        "vpce-0925a8e90cbab6f12",
                        "vpce-078ec1da4e3a0deb3",
                        "vpce-0c868a4b1293a28b5"
                    ],
                    "aws:SourceIP": [
                        "10.0.0.0/8",
                        "63.237.3.169/32"
                    ],
                    "aws:sourceVpc": "vpc-06f730a7eb116c752"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:1234567891323:abc123defg/*"
        }
    ]
}
Topics
Networking & Content DeliveryServerlessFront-End Web & Mobile
Tags
Amazon VPCAmazon API Gateway
Language
English
raithedavion
asked a year ago381 views
3 Answers
0
Accepted Answer

Hi,

Apart that you can troubleshoot further here: https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce, Can you try to invoke the api gw as https://<api-gw-id>-<vpce-url> As described in “associate/disassociate” section in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html?

Let me know

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
0

I've followed those steps and I'm still getting 403 errors. I actually followed them before I posted. No matter the calling method, I always get 403 Forbidden error when calling from the secondary account. Note, I have to use the public DNS in some cases due to non-vpc systems having to call the gateway.

UPDATE: I did just do yet another re-deploy and tried the <apiid>.execute-api.us-east-1.amazonaws.com method and it worked from within the secondary account VPC. Now I just need to make it work via the public DNS.

raithedavion
answered a year ago
0

And now the public is working too. Maybe I forgot to re-deploy or I'm just really bad at copy pasta on Friday. Thanks alatech.

raithedavion
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content