10
votes

I have an S3 bucket that acts as a static website and I am using API Gateway to distribute traffic to it. I understand CloudFront is a better option here, but please do not suggest it. It is not an option, due to reasons I won't go into.

I am accomplishing my solution by configuring a {proxy+} resource. Image below:

enter image description here

I would like to only allow access to the S3 website from the API Gateway proxy resource. Is there a way I can provide an execution role to the proxy resource, similarly to how you can provide an execution role to a resource to runs a lambda function? Lambda execution role example below:

enter image description here

The integration request portion of the proxy resource doesn't seem to have an execution role:

enter image description here

Or is there a way I can assign a role to the entire API Gateway to provide it the right to access the S3 bucket?

Other things I have tried:

  1. Editing the bucket policy to only allow traffic from the API gateway service:

    { "Version": "2012-10-17", "Id": "apiGatewayOnly", "Statement": [ { "Sid": "apiGW", "Effect": "Allow", "Principal": { "Service": ["api-gateway-amazonaws.com"] }, "Action": "s3:GetObject", "Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/*" } ] }

  2. Editing the bucket policy to only allow traffic from API Gateway's URL:

    { "Version": "2012-10-17", "Id": "http referer policy example", "Statement": [ { "Sid": "Allow get requests originating from www.example.com and example.com.", "Effect": "Allow", "Principal": "", "Action": "s3:GetObject", "Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/", "Condition": { "StringLike": { "aws:Referer": [ "https://xxxxxxx.execute-api.us-east-2.amazonaws.com/prod/", "http://xxxxxxxx.execute-api.us-east-2.amazonaws.com/prod" ] } } } ] }

1

1 Answers

5
votes
  1. Create a private S3 bucket
  2. Create an IAM role that can access the bucket. Set the trusted entity/principal who can assume this role to apigateway.amazonaws.com
  3. Use AWS service integration type and select s3. Set the execution role to the role created in 2

Refer to docs for more details.

enter image description here