使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

API Gateway as Reverse HTTP Proxy to SQS

0

I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.

When I send a request to the gateway, I immediately get back

<?xml version="1.0"?>
  <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
    <Error>
      <Type>Sender</Type>
      <Code>AccessDenied</Code>
      <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message>
      <Detail/>
    </Error>
    <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId>
  </ErrorResponse>

However, when I switch the request URL to SQS directly (https://sqs.us-east-1.amazonaws.com) the request succeeds.

What am I missing?

curl --request POST 'https://my-api-gateway.com/sqs' \
--header 'X-Amz-Date: <date>' \
--header 'X-Amz-Security-Token: <token>' \
--header 'Authorization: <auth>' \
--header 'Amz-Sdk-Invocation-Id: <invocation>' \
--header 'Amz-Sdk-Request: attempt=1; max=10' \
--header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \
--header 'Content-Length: 206' \
--data-urlencode 'Action=ReceiveMessage' \
--data-urlencode 'MaxNumberOfMessages=10' \
--data-urlencode 'QueueUrl=<my-queue-url>' \
--data-urlencode 'Version=2012-11-05' \
--data-urlencode 'WaitTimeSeconds=20'

Configuration:

  1. Integrations
  2. Routes
  3. Parameter Mappings
主题
无服务器前端 Web 和移动网络和内容交付应用程序集成
标签
亚马逊 API 网关亚马逊简单队列服务 (SQS)
语言
English
austinarbor
已提问 2 年前951 查看次数
2 回答
1
已接受的回答

In this case it is required to configure an IAM Role for API Gateway to assume with the required sqs:SendMessage permission as API Gateway will drop the Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.

  • The Authorization header is dropped if it contains a Signature Version 4 signature.
Matthias Pichler
已回答 2 年前
0

Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?

profile pictureAWS
专家
Indranil Banerjee AWS
已回答 2 年前
  • austinarbor
    2 年前

    just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?

  • Indranil Banerjee AWS 专家
    2 年前

    In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容