Private API Gateway 403 errors

Question

I'm toying with API gateway and have run into an issue in which one account gets a 403 Forbidden Error.  VPCE's are setup in two accounts.  The Account where the api gateway and one of the VPCE's resides works just fine, however the second account does not.    The forbidden message is just that "Forbidden" so very unhelpful.  Any ideas on how to resolve the 403's?

Calling it like so:
```
curl -v https://vpce-0c868a4b1293a28b5-6gi9t6mm.execute-api.us-east-1.vpce.amazonaws.com/dev -H 'Host: abc123defg.execute-api.us-east-1.amazonaws.com'

```

Resource policy is as follows (I did replace the account id and actual api id with something random):

vpce-078ec1da4e3a0deb3 = VPCE in account where API gateway resides.
vpce-0c868a4b1293a28b5 = VPCE in secondary account.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:123456789123:abc123defg/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpce": [
                        "vpce-0925a8e90cbab6f12",
                        "vpce-078ec1da4e3a0deb3",
                        "vpce-0c868a4b1293a28b5"
                    ],
                    "aws:SourceIP": [
                        "10.0.0.0/8",
                        "63.237.3.169/32"
                    ],
                    "aws:sourceVpc": "vpc-06f730a7eb116c752"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:1234567891323:abc123defg/*"
        }
    ]
}
```

Accepted Answer

Hi,

Apart that you can troubleshoot further here: https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce,
Can you try to invoke the api gw as https://- As described in “associate/disassociate” section in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html?

Let me know

Answer

And now the public is working too.  Maybe I forgot to re-deploy or I'm just really bad at copy pasta on Friday.  Thanks alatech.

Answer

I've followed those steps and I'm still getting 403 errors.  I actually followed them before I posted.  No matter the calling method, I always get 403 Forbidden error when calling from the secondary account.  Note, I have to use the public DNS in some cases due to non-vpc systems having to call the gateway.

UPDATE:  I did just do yet another re-deploy and tried the .execute-api.us-east-1.amazonaws.com method and it worked from within the secondary account VPC.  Now I just need to make it work via the public DNS.

Private API Gateway 403 errors

相关内容