- Newest
- Most votes
- Most comments
Are you trying to access a public API from a VPC through a VPC endpoint? if this is the case it will not work and you must set internet connectivity using internet gateway and route from the VPC to access the public API (either through NAT GW or using direct public/elastic IP on the EC2 instance). VPC endpoints can only be used to access Private APIs.
Note that when you are going from the VPC through the internet to access the public API, the aws:sourceVpc condition key in the API gateway policy will not be available. So, if you want to restrict access to your API you'll need to use other condition key such as the aws:SourceIp.
You might also find this article helpful.
Hi,
I believe that the right syntax for Principal is
"Principal": {
"AWS": "*"
},
Can you try by updating your policy accordingly?
Best,
Didier
No.. it didn't work ...
Is the first block working without the condition block i.e "aws:sourceVpc": "vpc-id"?
yes without condition block its working
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
Thanks for you answer I'm using Api Gateway Invoke URL directly.. To explain you I created NLB internal to manage my APIs, after I created ApiGateway to use all my Apis from vpc etc And now I'm just tring to protect my ApiGateway with good policies, because my ApiGateway is open to public
So as I mentioned in my answer - the
aws:sourceVpc
condition key can only work if you are trying to reach the API gateway using VPC endpoint and that API gateway is Private. If you want to restrict access to your API you'll need to use other condition keys available when not using VPC endpoint. For example, by using theaws:SourceIp
condition key and put the value of the public IP of your instance as seen from the internet. you can check it by runningcurl ifconfig.me
from your EC2 instance)OK understood !
So How can I use private API ? I enabled Private DNS names
And now I have Forbidden
Last time i tried SourceIp with VPC blocks and it didn't work too..
To reach private API you need to create VPC endpoint. Then you'll be able to use the resource policy on the API gateway to further restrict access to your private API only from your VPC (
aws:SourceVpc
) and/or your VPC endpoint ID (aws:SourceVpce
) and/or IP ranges from your VPC (aws:VpcSourceIp
)Yes I have : {"message":"Forbidden"} ...