Error Resource Policy On ApiGateway : AllowVPC Access

Hi,

I'm trying to use my API Gateway from my EC2 instance.

This is my policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:eu-west-3:*:*",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpc": "vpc-id"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:eu-west-3:*:*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "https://domain.com/*"
          ]
        }
      }
    }
  ]
}

The first statement isn't working at all. I get this message each time I call the API:

User: anonymous is not authorized to perform: execute-api on resource: arn:aws:execute-api:eu-west-3:******* /xx/xx/xx/xx**

The second statement is working perfectly.

Any ideas?

Thanks

Topics

Networking & Content Delivery Serverless Front-End Web & Mobile Security, Identity, & Compliance

Tags

Amazon VPC Amazon API Gateway IAM Policies

Language

English

Alex

asked a month ago243 views

3 Answers

Newest
Most votes
Most comments

Accepted Answer

Are you trying to access a public API from a VPC through a VPC endpoint? if this is the case it will not work and you must set internet connectivity using internet gateway and route from the VPC to access the public API (either through NAT GW or using direct public/elastic IP on the EC2 instance). VPC endpoints can only be used to access Private APIs.

Note that when you are going from the VPC through the internet to access the public API, the aws:sourceVpc condition key in the API gateway policy will not be available. So, if you want to restrict access to your API you'll need to use other condition key such as the aws:SourceIp.

You might also find this article helpful.

EXPERT

Yaniv Rozenboim

answered a month ago

EXPERT

Oleksii Bebych

reviewed a month ago

EXPERT

Giovanni Lauria

reviewed a month ago

Alex
a month ago
Thanks for you answer I'm using Api Gateway Invoke URL directly.. To explain you I created NLB internal to manage my APIs, after I created ApiGateway to use all my Apis from vpc etc And now I'm just tring to protect my ApiGateway with good policies, because my ApiGateway is open to public
Yaniv Rozenboim EXPERT
a month ago
So as I mentioned in my answer - the aws:sourceVpc condition key can only work if you are trying to reach the API gateway using VPC endpoint and that API gateway is Private. If you want to restrict access to your API you'll need to use other condition keys available when not using VPC endpoint. For example, by using the aws:SourceIp condition key and put the value of the public IP of your instance as seen from the internet. you can check it by running curl ifconfig.me from your EC2 instance)
Alex
a month ago
OK understood !

So How can I use private API ? I enabled Private DNS names

And now I have Forbidden

Last time i tried SourceIp with VPC blocks and it didn't work too..
Yaniv Rozenboim EXPERT
a month ago
To reach private API you need to create VPC endpoint. Then you'll be able to use the resource policy on the API gateway to further restrict access to your private API only from your VPC (aws:SourceVpc) and/or your VPC endpoint ID (aws:SourceVpce) and/or IP ranges from your VPC (aws:VpcSourceIp)
Alex
a month ago
Yes I have : {"message":"Forbidden"} ...

Hi,

I believe that the right syntax for Principal is

"Principal": {
                "AWS": "*"
            },

Can you try by updating your policy accordingly?

Best,

Didier

EXPERT

Didier_Durand

answered a month ago

Alex
a month ago
No.. it didn't work ...

Is the first block working without the condition block i.e "aws:sourceVpc": "vpc-id"?

SUPPORT ENGINEER

Ankita_D

answered a month ago

Alex
a month ago
yes without condition block its working

Relevant content

Cloudformation I want to add a policy that allows my Lamda to be invoked by the API gateway But I keep getting Error
Accepted Answer
Nafiu
asked a year ago
IAM policy multi resources/statement
natte
asked a year ago
CORS errors from my API Gateway API
rePost-User-femitosin
asked a year ago
Using resource policy for private ApiGateway
rePost-User-8469491
asked a year ago
How can I troubleshoot access denied errors when invoking API Gateway APIs with a resource based policy?
AWS OFFICIALUpdated 2 years ago
How can I resolve "HTTP 403 Forbidden" errors when invoking my API with cross-account IAM authentication for API Gateway?
AWS OFFICIALUpdated 2 years ago
How do I allow only specific IP addresses to access my API Gateway REST API?
AWS OFFICIALUpdated 3 months ago
Why is my API Gateway proxy resource with a Lambda authorizer that has caching activated returning HTTP 403 "User is not authorized to access this resource" errors?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago
EMR Serverless service principal is not authorized to perform: ECR:DescribeImages on resource
SUPPORT ENGINEER
Yokesh NK
published 4 months ago