堆栈内存溢出
  简体   繁体   English

我应该在我的 api 网关资源策略中使用什么 cidr 范围来允许 lambda 调用我的端点?

[英]What cidr range should I use in my api gateway resource policy to allow lambda to call my endpoint?

 原文  2020-02-06 11:39:13       amazon-web-services/ aws-lambda/ aws-api-gateway/ aws-policies

问题描述

I have setup the follow resource policy in api gateway to restrict access to a source IP (x is just a placeholder).我在 api gateway 中设置了跟随资源策略来限制对源 IP 的访问(x 只是一个占位符)。 When I manually hit the api endpoint from postman the policy correctly restricts access only to the cidr range I specified in the resource policy below.当我从 postman 手动点击 api 端点时,该策略正确地将访问限制为我在下面的资源策略中指定的 cidr 范围。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”,
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        “x.x.x.x/32"
                    ]
                },
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-x”
                }
            }
        }
    ]
}

However, I have a lambda function which also calls the same https api gateway endpoint.但是,我有一个 lambda 函数,它也调用相同的 https api 网关端点。 This function essentially just passes test data into my api at hourly intervals.这个函数基本上只是每隔一小时将测试数据传递到我的 api 中。 But, the lambda function is unable to hit the endpoint and gets a 403 forbidden error.但是,lambda 函数无法到达端点并收到 403 禁止错误。 I tried adding the sourceVpc to the resource policy, but this did not seem to work.我尝试将sourceVpc添加到资源策略中,但这似乎不起作用。 I also tried adding the vpc cidr range too, but again this did not work.我也尝试添加 vpc cidr 范围,但这又不起作用。

Do you know what cidr I should add to the resource policy to allow my lambda to call my api endpoint too?您知道我应该在资源策略中添加什么 cidr 以允许我的 lambda 也调用我的 api 端点吗?

1 个解决方案

解决方案1
 1 已采纳  2020-02-07 11:28:00

I added to the resource policy "aws:SourceIp" the NAT gateway ip of the subnets associated with my lambda function.我将与我的 lambda 函数关联的子网的 NAT 网关 IP 添加到资源策略“aws:SourceIp”中。 This allowed my lambda function to invoke the API Gateway successfully.这允许我的 lambda 函数成功调用 API 网关。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我要向我的 IAM 策略添加什么来授予 API Gateway 资源的标签处理权限? - What do I add to my IAM policy to grant permission for tag processing of API Gateway resource? 我应该使用哪种 AWS API Gateway 授权方类型来通过 Okta 保护我的 API? 拉姆达/认知? - Which AWS API Gateway Authorizer Type should I use to protect my APIs with Okta? Lambda/Cognito? 使用 Lambda 和 API 网关调用 Sagemaker 端点时出错 - Error in Call to Sagemaker Endpoint with Lambda and API Gateway AWS Serverless - 我可以在我的 serverless.yml 文件中配置我的提供程序或 lambda function 以使用同一 yml 文件中的 API 网关资源吗? - AWS Serverless - Can I configure my provider or lambda function in my serverless.yml file to use an API Gateway resource in the same yml file? AWS-我有一个CFT,它将Lambda函数与API网关集成在一起。 我使用什么资源将API网关连接到自定义DNS名称? - AWS- I have a CFT that integrates a Lambda Function with API Gateway. What resources do I use to connect my API Gateway to a Custom DNS name? 我应该如何使用非代理 lambda 用我的 REST API 网关模型实现我的 lambda 处理程序? - How should I implement my lambda handler with my REST API gateway model using non- proxy lambda? 只允许 Lambda 函数调用 API 网关 - Only allow Lambda functions to call API Gateway 我应该在 lambda 前面构建 API 网关还是直接调用它? - Should I build API gateway in front of a lambda or call it directly? AWS API 网关与资源策略 VS 与 VPC 端点 - AWS API Gateway with resource policy V.S. with VPC Endpoint 我应该如何测试“无服务器”(API网关/ Lambda / ECS)应用程序? - How should I test my “Serverless” (API Gateway/Lambda/ECS) applications?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM