How to configure AWS API Gateway to access it from another AWS account

1
votes

I want to give access to IAM users from other accounts to be able to invoke my API.

I have these configurations in my API Gateway resource methods:

Authorization type: AWS_IAM (I tried with Auth type None as well..)

And Resource Policy defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
        }
    ]
}

I have also given invoke permissions to the IAM user of the other account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
        }
    ]
}

I have deployed the API to a stage named test.

Still, I see the below error when I invoke the API with the credentials from the other account's user:

{
    "message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}

What am I missing here?

I followed this guide: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html

1
amazon-web-servicesaws-api-gatewayapi-gateway
As it turns out, all my changes were perfectly fine. Apparently AWS was taking too much time in propagating the policy changes. So, although the policies were updated, I could use it correctly only after 5~6 hours!gaganbm

1 Answers

1
votes

This has bitten me before, and may be your issue too.

After you SAVE your resource policy, you must ALSO deploy your API.

  • In the menu on the left, click up one level
  • Then under ACTIONS, select DEPLOY API