[英]What cidr range should I use in my api gateway resource policy to allow lambda to call my endpoint?
I have setup the follow resource policy in api gateway to restrict access to a source IP (x is just a placeholder).我在 api gateway 中设置了跟随资源策略来限制对源 IP 的访问(x 只是一个占位符)。 When I manually hit the api endpoint from postman the policy correctly restricts access only to the cidr range I specified in the resource policy below.
当我从 postman 手动点击 api 端点时,该策略正确地将访问限制为我在下面的资源策略中指定的 cidr 范围。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”,
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
“x.x.x.x/32"
]
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-x”
}
}
}
]
}
However, I have a lambda function which also calls the same https api gateway endpoint.但是,我有一个 lambda 函数,它也调用相同的 https api 网关端点。 This function essentially just passes test data into my api at hourly intervals.
这个函数基本上只是每隔一小时将测试数据传递到我的 api 中。 But, the lambda function is unable to hit the endpoint and gets a 403 forbidden error.
但是,lambda 函数无法到达端点并收到 403 禁止错误。 I tried adding the
sourceVpc
to the resource policy, but this did not seem to work.我尝试将
sourceVpc
添加到资源策略中,但这似乎不起作用。 I also tried adding the vpc cidr range too, but again this did not work.我也尝试添加 vpc cidr 范围,但这又不起作用。
Do you know what cidr I should add to the resource policy to allow my lambda to call my api endpoint too?您知道我应该在资源策略中添加什么 cidr 以允许我的 lambda 也调用我的 api 端点吗?
I added to the resource policy "aws:SourceIp" the NAT gateway ip of the subnets associated with my lambda function.我将与我的 lambda 函数关联的子网的 NAT 网关 IP 添加到资源策略“aws:SourceIp”中。 This allowed my lambda function to invoke the API Gateway successfully.
这允许我的 lambda 函数成功调用 API 网关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.