skip to Main Content

I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).

My IAM User policy is like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "*"
        }
    ]
}

and in my api gateway I applied the resource policy as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<my account id>:root",
                    "arn:aws:iam::<my account id>:user/postman-user"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
        }
    ]
}

I applied the key id and secret key id in postman:
enter image description here

then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

I thought it was postman failed to sign this AWS sigV4, then I tried this in python:

url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'

auth = AWSRequestsAuth( aws_access_key='<my key id>',
                        aws_secret_access_key='<my  secret key>',
                        aws_host='ec2.amazonaws.com',
                        aws_region='us-west-2',
                        aws_service='api')

response = requests.get(url, auth=auth)

This error is just forever for me


User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times …

tried python, tried postman, nothing works

2

Answers


  1. Chosen as BEST ANSWER

    This is an API Gateway config issue:

    Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.


  2. it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.

    Link:
    https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search