API GW HTTP API: Cross Account Access via IAM

0

Hi,

I have an API-GW HTTP API (in account A) that uses IAM auth. I'm trying to invoke that API using an IAM role from another account (account B)

I'm getting 403 responses when trying to invoke the API-GW from account B. I'm able to successfully invoke it from its own account (account A).

The IAM role in account B has the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:*:ACCOUNT-A-ID:*"
            ],
            "Effect": "Allow"
        }
    ]
}

I have a "CrossAccountInvocationRole" in account A with Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "arn:aws:execute-api:*:ACCOUNT-A-ID:*/*/*/*"
        }
    ]
}

with Trusted Entities

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNT-B-ID:role/role-name"
                    ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

My APIGW IAM Role in Account A has the following Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT-A-ID:role/CrossAccountInvocationRole",
            "Effect": "Allow"
        }
    ]
}

and Trusted entities

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I tried attaching the above policy to the Lambda that is invoked by API-GW as well

To test, I used the AWS CLI sts assume-role to get credentials for the IAM role and then used those credentials in a Lambda in account B as well as the Postman application. Both gave me 403 errors.

Question:

  1. Is it even possible to do cross account invocation on an API GW HTTP API with IAM?
  2. If yes, what an I doing wrong?
2 Answers
0

Hi,

I understand you want to cross account invocation on an API GW HTTP API with IAM but you are getting an “403 error”. The 403 error means the caller isn't authorized to access an API that's using a Lambda authorizer. To answer your questions, yes you can do cross account invocation on an API GW HTTP API with IAM. Firstly you will have to create a Lambda authorizer [1], you use a Lambda authorizer to use a Lambda function to control access to your HTTP API[2]. You will then configure a cross-account Lambda authorizer using the API Gateway console [3]. The methods you used before were meant for control access for invoking an API hence the reason you were successfully invoke it from its own account “(account A)”.

Refer to the references

[1] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.example-create

[2] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html

[3] https://docs.amazonaws.cn/en_us/apigateway/latest/developerguide/apigateway-lambda-authorizer-cross-account-lambda-authorizer.html

[4] https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

Lwazi
answered 2 years ago
0

Please follow this document for your use-case: https://repost.aws/knowledge-center/api-gateway-iam-cross-account

AWS
SUPPORT ENGINEER
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions