[英]How to configure AWS API Gateway to access it from another AWS account
I want to give access to IAM users from other accounts to be able to invoke my API.我想向其他账户的 IAM 用户授予访问权限,以便能够调用我的 API。
I have these configurations in my API Gateway resource methods:我的 API 网关资源方法中有这些配置:
Authorization type: AWS_IAM
(I tried with Auth type None
as well..) Authorization type: AWS_IAM
(我也尝试使用 Auth 类型None
..)
And Resource Policy defined as:资源策略定义为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
}
]
}
I have also given invoke permissions to the IAM user of the other account:我还向另一个账户的 IAM 用户授予了调用权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
}
]
}
I have deployed the API to a stage named test
.我已将 API 部署到名为test
的阶段。
Still, I see the below error when I invoke the API with the credentials from the other account's user:尽管如此,当我使用来自其他帐户用户的凭据调用 API 时,仍会看到以下错误:
{
"message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}
What am I missing here?我在这里想念什么?
I followed this guide: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html我遵循了本指南: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html
This has bitten me before, and may be your issue too.这曾经咬过我,也可能是你的问题。
After you SAVE your resource policy, you must ALSO deploy your API.保存资源策略后,还必须部署 API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.