I have created a Private API in AWS API gateway using Internal Application LoadBalancer as HTTP_PROXY integration Request for GET Method.
I also attached Resource Policy to this API and created interface EndPoints (VPC EndPoints) for subnets. When I test this policy from API Gateway test interface, I get the following error message.
******************************
Execution log for request 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : Starting execution for request: 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : HTTP Method: GET, Resource Path: /
Mon Apr 22 19:47:05 UTC 2019 : Method request path: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request query string: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request headers: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request body before transformations:
Mon Apr 22 19:47:05 UTC 2019 : Execution failed due to configuration error: Invalid endpoint address
Mon Apr 22 19:47:05 UTC 2019 : Method completed with status: 500
**************************************************************
But when I am testing this policy from EC2 instance which is in private subnet, I get a slightly different error message..
I have created a Private API in AWS API gateway using Internal Application LoadBalancer as HTTP_PROXY integration and also attached Resource Policy to it. I also created interface EndPoints (VPC EndPoints) for subnet have When I am testing this policy from API Gateway test interface, I am getting below error message.
[ec2-user@ip-10-0-3-21 ~]$ curl -vvvv https://w4ipx30rt1.execute-api.us-east-1.amazonaws.com/dev/
* Trying 10.0.3.157...
* TCP_NODELAY set
* Connected to w4ipx30rt1.execute-api.us-east-1.amazonaws.com (10.0.3.157) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.execute-api.us-east-1.amazonaws.com
* start date: Oct 9 00:00:00 2018 GMT
* expire date: Oct 9 12:00:00 2019 GMT
* subjectAltName: host "w4ipx30rt1.execute-api.us-east-1.amazonaws.com" matched cert's "*.execute-api.us-east-1.amazonaws.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET /dev/ HTTP/1.1
> Host: w4ipx30rt1.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Mon, 22 Apr 2019 19:54:52 GMT
< Content-Type: application/json
< Content-Length: 154
< Connection: keep-alive
< x-amzn-RequestId: 7e95530e-6538-11e9-afa4-df5f4a3d30a4
< x-amzn-ErrorType: AccessDeniedException
< x-amz-apigw-id: YjlR_Hn2IAMFZyg=
<
* Connection #0 to host w4ipx30rt1.execute-api.us-east-1.amazonaws.com left intact
**"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9165:w4ipx30rt1/dev/GET/"[_ec2-user@ip-10-0-3-21 ~]****
Below is my resource Policy as well..
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:region:us-east-1:*********:w4ipx30rt1/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-**********"
}
}
}
]
}
Thanks !
