How to authorise a role to perform "execute-api:Invoke"?

10,238

Solution 1

Below are the steps you need to perform.

  1. For API method - Make Auth = IAM
  2. For API resource policy make sure you allow traffic coming from selected IAM role for specific/all methods

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::###############:role/###########"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:ap-southeast-1:###########:/#########/*/POST/####/####/"
        }
    ]
    

    }

  3. Make sure same IAM role is attached to entities from where this API is being called e.g. EC2 - if your code resides on EC2

  4. Make sure your API calls are not plain curl calls, they are aws sigv4 signed

Hope this works!

Solution 2

In this case it turned out the major blocker was the API gateway IP Restrictions set in the policy were getting in the way. I did not realise that changes made didn't take affect until (re)deployment. Once I did that with updated IP restrictions the API endpoint could be invoked.

Share:
10,238
Jay Cork
Author by

Jay Cork

Updated on June 04, 2022

Comments

  • Jay Cork
    Jay Cork 4 months

    I'm attempting to move a suite of end-to-end tests so that they are fully contained within AWS. I've done this through code build and gotten everything running up to the point of running the tests, which invoke an API to reset the database before every test run. I keep running into this error message when the first test attempts to run.

    StatusCodeError: 403 - "{\"Message\":\"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:*:*"}" 
    

    At first, I thought the error was being caused by a lack of permissions on the role that was being used to build everything. I tried adding the correct permissions to IAM Role being used, eventual making them more open than I would like.

    "Effect": "Allow",
    "Action": [
        "execute-api:Invoke",
        "execute-api:ManageConnections"
    ],
    "Resource": "arn:aws:execute-api:*:*:*"
    

    Obviously didn't fix things but I did notice that the access advisor shows that the particular policy isn't being accessed.

    Next, I went into the resource policy in API Gateway to see if there was something there. I removed some Ip Address conditions that were set up to restrict access to the office's Ip Addresses.

    I've look inside of WAF and Shield and can't see anything that would be related to invoking the API. At this point I am at a lost on where my next investigation should start.

    Edit

    Here's the responce I'm getting back.

    "requestId": "********-82f8-11e9-a732-0b550cf3fcd6",
    "ip": "*.*.*.*",
    "caller": "-",
    "user": "-",
    "requestTime": "30/May/2019:16:32:50 +0000",
    "httpMethod": "GET",
    "resourcePath": "/*/ref-data/{proxy+}", "status": "403", "protocol": "HTTP/1.1", "responseLength": "185"