Question 18707 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS IAM user credential always authenticated as anonymous – Amazon Web Sevices

I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).

My IAM User policy is like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "*"
        }
    ]
}

and in my api gateway I applied the resource policy as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<my account id>:root",
                    "arn:aws:iam::<my account id>:user/postman-user"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
        }
    ]
}

I applied the key id and secret key id in postman:
enter image description here

then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

I thought it was postman failed to sign this AWS sigV4, then I tried this in python:

url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'

auth = AWSRequestsAuth( aws_access_key='<my key id>',
                        aws_secret_access_key='<my  secret key>',
                        aws_host='ec2.amazonaws.com',
                        aws_region='us-west-2',
                        aws_service='api')

response = requests.get(url, auth=auth)

This error is just forever for me


User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times …

tried python, tried postman, nothing works

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    This is an API Gateway config issue:

    Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.


  2. 0

    it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.

    Link:
    https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search