Error Resource Policy On ApiGateway : AllowVPC Access

0

Hi,

I'm trying to use my API Gateway from my EC2 instance.

This is my policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:eu-west-3:*:*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpc": "vpc-id"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:eu-west-3:*:*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "https://domain.com/*"
          ]
        }
      }
    }
  ]
}

The first statement isn't working at all. I get this message each time I call the API:

User: anonymous is not authorized to perform: execute-api on resource: arn:aws:execute-api:eu-west-3:******* /xx/xx/xx/xx**

The second statement is working perfectly.

Any ideas?

Thanks

3 Answers
2
Accepted Answer

Are you trying to access a public API from a VPC through a VPC endpoint? if this is the case it will not work and you must set internet connectivity using internet gateway and route from the VPC to access the public API (either through NAT GW or using direct public/elastic IP on the EC2 instance). VPC endpoints can only be used to access Private APIs.

Note that when you are going from the VPC through the internet to access the public API, the aws:sourceVpc condition key in the API gateway policy will not be available. So, if you want to restrict access to your API you'll need to use other condition key such as the aws:SourceIp.

You might also find this article helpful.

profile pictureAWS
EXPERT
answered 4 days ago
profile picture
EXPERT
reviewed 3 days ago
profile picture
EXPERT
reviewed 4 days ago
  • Thanks for you answer I'm using Api Gateway Invoke URL directly.. To explain you I created NLB internal to manage my APIs, after I created ApiGateway to use all my Apis from vpc etc And now I'm just tring to protect my ApiGateway with good policies, because my ApiGateway is open to public

  • So as I mentioned in my answer - the aws:sourceVpc condition key can only work if you are trying to reach the API gateway using VPC endpoint and that API gateway is Private. If you want to restrict access to your API you'll need to use other condition keys available when not using VPC endpoint. For example, by using the aws:SourceIp condition key and put the value of the public IP of your instance as seen from the internet. you can check it by running curl ifconfig.me from your EC2 instance)

  • OK understood !

    So How can I use private API ? I enabled Private DNS names

    And now I have Forbidden

    Last time i tried SourceIp with VPC blocks and it didn't work too..

  • To reach private API you need to create VPC endpoint. Then you'll be able to use the resource policy on the API gateway to further restrict access to your private API only from your VPC (aws:SourceVpc) and/or your VPC endpoint ID (aws:SourceVpce) and/or IP ranges from your VPC (aws:VpcSourceIp)

  • Yes I have : {"message":"Forbidden"} ...

0

Hi,

I believe that the right syntax for Principal is

"Principal": {
                "AWS": "*"
            },

Can you try by updating your policy accordingly?

Best,

Didier

profile pictureAWS
EXPERT
answered 4 days ago
  • No.. it didn't work ...

0

Is the first block working without the condition block i.e "aws:sourceVpc": "vpc-id"?

AWS
SUPPORT ENGINEER
answered 4 days ago
  • yes without condition block its working

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions