AWS API Gateway - Private Endpoint - message forbidden

2
votes

I am trying to setup a private AWS API Gateway and connect to it from my laptop. The laptop resides in a network which is AWS Direct Connect'ed to a private VPC. I am using the toy-example "PetStore" API provided by AWS for this purpose.

According to this guide:

  • established a API Gateway service endpoint to my VPC (private DNS disabled)
  • gave it a security group that allows ALL inbound traffic from the local network (in which my laptop resides)
  • created the API Gateway as private API
  • updated the resource policy
  • deployed the API as stage V1

Assume:

  • AWS account number: 123456789012
  • AWS region: eu-central-1
  • API Gateway ID: abcdefghij
  • API Stage: V1
  • VPC Endpoint Domanin: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
  • VPC Endpoint IP: 10.10.10.10

To invoke my API, I call the following cURL command:

curl -v https://vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com/V1/pets -H 'Host: abcdefghij.execute-api.eu-central-1.amazonaws.com' --noproxy "*"

and this is the result:

*   Trying 10.10.10.10...
* TCP_NODELAY set
* Connected to vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com (10.54.251.244) port 443 (#0)
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 240 bytes...
* schannel: sent initial handshake data: sent 240 bytes
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4000
* schannel: encrypted data buffer: offset 4000 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5024 length 5024
* schannel: encrypted data length: 95
* schannel: encrypted data buffer: offset 95 length 5024
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 252
* schannel: encrypted data buffer: offset 347 length 5024
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5024
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /V1/pets HTTP/1.1
> Host: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 364
* schannel: encrypted data buffer: offset 364 length 103424
* schannel: decrypted data length: 283
* schannel: decrypted data added: 283
* schannel: decrypted data cached: offset 283 length 102400
* schannel: encrypted data length: 52
* schannel: encrypted data cached: offset 52 length 103424
* schannel: decrypted data length: 23
* schannel: decrypted data added: 23
* schannel: decrypted data cached: offset 306 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 306 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 306
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Fri, 25 Oct 2019 11:32:01 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: a5aa9f76-4e3b-4315-838a-e859fa192ade
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: jdsak!291kd
<
{"message":"Forbidden"}* Connection #0 to host vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com left intact
* Rebuilt URL to: abcdefghij.execute-api.eu-central-1.amazonaws.com'/
* Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
* Closing connection 1
curl: (6) Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'

There is this {"message":"Forbidden"} which I am not sure from where it comes. And also the error Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com.

So my question is: where this issue comes from?

APPENDIX

Resource policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}
3
amazon-web-servicescurlaws-api-gatewayamazon-vpc
Which method are you trying to hit? Get? Post?Put?Amit Baranes
I am trying to hit GETmLC
Do you have any update?Amit Baranes
no, we tried to change the resource policy and even take this away from the direct connect setup to pure AWS (EC2 in VPC -> Endpoint -> API) but it is still the same issuemLC
Try to create new api getway and not use the Pets template. if you need instructions, i wrote documentation - hit me on linkedinAmit Baranes

3 Answers

1
votes

I've had a similar issue that was related to Resource policy. try to use the following policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:${AWS_REGION}:${AWS_ACCOUNT_ID}:${API_GETWAY_ID}/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "${VPC_ENDPOINT_ID}"
                }
            }
        }
    ]
}

Also, make sure the VPC Endpoint IDs include your vpce:

enter image description here

0
votes

In the end, it really was resource policy related. After some other tries, we returned back to the former policy and somehow it started working (maybe we forgot to deploy the API first time)

This is the policy that worked for us:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}
0
votes

The previous AWS API gateway private API configuration document is a bit misleading, I had pushed the update for the documentation.

When you create a private API gateway, there are two key fields you should pay attention to:

  1. VPC endpoint ID
  2. VPC ID

For VPC End Point Configuration under APIs->Your API->Settings:

Endpoint Configuration:
   VPC End Point ID:
       *Your VPC End Point ID(This is the VPC End point ID with     
    com.amazonaws.ap-southeast-1.execute-api permission)

Under APIs->Your API->Resource Policy, configure resource policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "Change to your VPC ID"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}