I want to give access to IAM users from other accounts to be able to invoke my API.
I have these configurations in my API Gateway resource methods:
Authorization type: AWS_IAM
(I tried with Auth type None
as well..)
And Resource Policy defined as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
}
]
}
I have also given invoke permissions to the IAM user of the other account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
}
]
}
I have deployed the API to a stage named test
.
Still, I see the below error when I invoke the API with the credentials from the other account's user:
{
"message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}
What am I missing here?
I followed this guide: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html
This has bitten me before, and may be your issue too.
After you SAVE your resource policy, you must ALSO deploy your API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.