stackoom
  简体   繁体   中英

AWS API Gateway: User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:

 原文  2020-09-01 13:10:15       amazon-web-services/ aws-api-gateway/ amazon-iam

Question

I have created the API Gateway with terraform and I am then attaching API's to it using the serverless framework.

I have created a resource policy based on this AWS tutorial ( https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/ ) as I want to be able to use custom API Gateway domains but I do not want my API's accessible by anyone over the inte.net unless their IP address is in my whitelist.

Here is my rendered policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow",
            "Effect": "Allow",
            "Principal": "*",
            "Resource": "arn:aws:execute-api:eu-west-1:*:/*/*/*"
        },
        {
            "Sid": "ipwhitelist",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:*:/*/*/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                       <<excluded>>
                    ]
                }
            }
        }
    ]
}

I have redeployed my API and now I am blocked regardless of whether my IP address is in the allowed list or not and according to the tutorial this should work.

I have also tested the policy by removing the entire deny section so it only allows all traffic and this is still resulting in my calls being blocked, when I delete the policy and the redeploy my serverless project it works again, so with that being said is there a reason why the allow policy would still block all IP addresses?

I am looking for ideas of where to look to find out why the white list is not working.

1 answers

solution1
 1 ACCPTED  2020-09-01 18:39:15

The answer to this is that I was missing a permission from my allow policy, the explicit allow is required to allow anything that is then excluded by the deny policy but it was missing any actions, I had to ensure the following was present in the terraform that generated the allow part of the policy:

actions = ["execute-api:Invoke"]

This is then translated into the following in the actual IAM policy:

"Action": "execute-api:Invoke"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is there no setting for AWS API Gateway REST API to disable execute-api endpoint in CloudFormation template? AWS API Gateway: User anonymous is not authorized to execute API Receiving error "User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: secretmanager:GetSecretValue on resouce: my_Resource"? AWS Resource policy on API Gateway AWS CDK - API gateway lambda invoke AWS API Gateway Resource ID mapping with Terraform "Enable CORS" in AWS API Gateway resource? Resource policies and cost on AWS API Gateway How to get AWS API Gateway invoke URL in an AWS Lambda function? AWS API Gateway Signature
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM