AWS Config API 返回 403：禁止错误

Question

I am testing AWS Config APIs using postman and cannot figure out root cause of 403 forbidden error. The authorization is setup using AWS Signature (4) with the awsAccessKeyId and awsSecretAccessKey of the user who has following policies attached:

AWSConfigRoleForOrganizations, AWSConfigRole, AWSConfigUserAccess and AWSConfigRulesExecutionRole

curl --location --request POST 'https://config.us-west-2.amazonaws.com/?Action=ListDiscoveredResources&AUTHPARAMS&Version=2010-05-08' \
--header 'X-Amz-Content-Sha256: {generatedHash}' \
--header 'X-Amz-Date: 20200531T194002Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={accessKeyId}/20200531/us-west-2/config/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature={signature}' \
--header 'Content-Type: text/plain' \
--data-raw '{
    "resourceType": "AWS::EC2::Instance"
}

I cannot find any example of URL parameter or HTTP header requirements for AWS Config API online.Has anyone been able to successfully authentication with AWS Config API if so, provide an example of Parameters or Request Header?

Answer 1

I was able to successfully fix the 403 forbidden error. The Parameter and HTTP header blow work properly and return the response 200:

curl --location --request POST 'https://config.us-west-2.amazonaws.com/?Action=ListDiscoveredResources&AUTHPARAMS&Version=2010-05-08' \ --header 'Content-Type: application/x-amz-json-1.1' \ --header 'X-Amz-Target: StarlingDoveService.ListDiscoveredResources' \

(omitted rest of header for simplicity)

Having said that, I am still not sure about 'X-Amz-Target: StarlingDoveService.ListDiscoveredResources' . There is no mention of it in in AWS documentation for AWS Config API . Stumbled upon it from the AWS discuss forum by luck.