AWS anonymous is not authorized to perform: execute-api:Invoke on resource. Private API Gateway

5
votes

I have a REST API Lambda function deployed to a private subnet, where the API Gateway type is private. Following this I have set up a vpc endpoint to private API gateway to the two public subnets of the same vpc as the lambda functions private subnet. The corresponding security group of the vpce allows all traffic.

If I try to query the API endpoint from an EC2 instance in the public subnet, I get the following error:

 anonymous is not authorized to perform: execute-api:Invoke on the resource.

I cannot find the issue, as the resource policy of the private API gateway looks as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:xxxxxxx:xxxxxx/*",
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpce": "vpce-xxxxxxxx"
                }
            }
        }
    ]
}

What am I missing?

3
amazon-web-servicesaws-api-gatewayamazon-vpc
The template I used had sourceVpc instead of the sourceVpce, which was causing some issues.ritratt

3 Answers

1
votes

actually, what @peterhack said was the answer for me as well. Used the provided template "VPC Whitelist" with all placeholders was the problem:

...xxx:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}

replacing with ...xxx:*/* fixed it

0
votes

I have reviewed the docs you have provided docs to and what you have written. I believe I found the cause of your access problem.

As you mention that you created an EC2 instance in the public subnet. By default that subnet will have an internet gateway available so in fact your VPC endpoint won't be used to access the private API Gateway. In the docs they also say the following;

To emphasize the “privateness” of this API, test it from a resource that only lives inside your VPC and has no direct network access to it, in the traditional networking sense.

Assuming your policy is correct, correct region is used in your resource block and your vpc endpoint id is correct, you simply require to spin up another ec2 instance inside private subnet. Then the following process should work;

  1. ssh onto instance in public subnet
  2. from public instance ssh into the instance in the private subnet
  3. perform invoke action from that EC2 instance in private subnet
0
votes

Could you check your security group on the api gateway endpoints? You need to use

Ingress: https source CIDR of your vpc.

Outgress: all traffic, 0.0.0.0/0

I found that if you use sg- in the sg (Ingress), it won't work. After I change as CIDR, it works now. I can call this api from the basion machine.