使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

API Gateway as Reverse HTTP Proxy to SQS

0

I am trying to use AWS API Gateway as a reverse (forwarding) proxy to AWS SQS. I essentially want to send a REST request to the API Gateway which then gets forwarded directly to the SQS REST API and returns the response.

When I send a request to the gateway, I immediately get back

<?xml version="1.0"?>
  <ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
    <Error>
      <Type>Sender</Type>
      <Code>AccessDenied</Code>
      <Message>Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.</Message>
      <Detail/>
    </Error>
    <RequestId>51c903b2-4da3-5d5e-a3b8-589ee72167de</RequestId>
  </ErrorResponse>

However, when I switch the request URL to SQS directly (https://sqs.us-east-1.amazonaws.com) the request succeeds.

What am I missing?

curl --request POST 'https://my-api-gateway.com/sqs' \
--header 'X-Amz-Date: <date>' \
--header 'X-Amz-Security-Token: <token>' \
--header 'Authorization: <auth>' \
--header 'Amz-Sdk-Invocation-Id: <invocation>' \
--header 'Amz-Sdk-Request: attempt=1; max=10' \
--header 'User-Agent: aws-sdk-go-v2/1.16.5 os/macos lang/go/1.18.3 md/GOOS/darwin md/GOARCH/arm64 api/sqs/1.18.6' \
--header 'Content-Length: 206' \
--data-urlencode 'Action=ReceiveMessage' \
--data-urlencode 'MaxNumberOfMessages=10' \
--data-urlencode 'QueueUrl=<my-queue-url>' \
--data-urlencode 'Version=2012-11-05' \
--data-urlencode 'WaitTimeSeconds=20'

Configuration:

  1. Integrations
  2. Routes
  3. Parameter Mappings
主題
無伺服器前端網頁與行動裝置網路與內容交付應用程式整合
標籤
Amazon API GatewayAmazon Simple Queue Service
語言
English
austinarbor
已提問 2 年前檢視次數 951 次
2 個答案
1
已接受的答案

In this case it is required to configure an IAM Role for API Gateway to assume with the required sqs:SendMessage permission as API Gateway will drop the Authorization header if it contains an AWS Signature. It's in the docs but well hidden under the header mapping table.

  • The Authorization header is dropped if it contains a Signature Version 4 signature.
Matthias Pichler
已回答 2 年前
0

Did you create a role for API Gateway that has a policy that allows API Gateway to interact with the SQS queue?

profile pictureAWS
專家
Indranil Banerjee AWS
已回答 2 年前
  • austinarbor
    2 年前

    just curious but why would that be required? I am strictly using the REST API which is passing the authentication headers to SQS. The gateway itself shouldn't really know that it's calling SQS should it?

  • Indranil Banerjee AWS 專家
    2 年前

    In this case the API Gateway receives the REST request but has to make an SQS API call behind the scenes, so it will need to be granted the access based on the principle of least privilege.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容