如何配置 AWS API 网关以从另一个 AWS 账户访问它

Question

I want to give access to IAM users from other accounts to be able to invoke my API.

I have these configurations in my API Gateway resource methods:

Authorization type: AWS_IAM (I tried with Auth type None as well..)

And Resource Policy defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
        }
    ]
}

I have also given invoke permissions to the IAM user of the other account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
        }
    ]
}

I have deployed the API to a stage named test .

Still, I see the below error when I invoke the API with the credentials from the other account's user:

{
    "message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}

What am I missing here?

I followed this guide: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html

Answer 1

This has bitten me before, and may be your issue too.

After you SAVE your resource policy, you must ALSO deploy your API.

• In the menu on the left, click up one level
• Then under ACTIONS, select DEPLOY API