How to authorise a role to perform "execute-api:Invoke"?

Asked 30/5, 2019 at 16:17 Answered 31/5, 2019 at 13:5

amazon-web-services aws-api-gateway amazon-iam aws-codebuild amazon-waf

I'm attempting to move a suite of end-to-end tests so that they are fully contained within AWS. I've done this through code build and gotten everything running up to the point of running the tests, which invoke an API to reset the database before every test run. I keep running into this error message when the first test attempts to run.

StatusCodeError: 403 - "{\"Message\":\"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:*:*"}"

At first, I thought the error was being caused by a lack of permissions on the role that was being used to build everything. I tried adding the correct permissions to IAM Role being used, eventual making them more open than I would like.

"Effect": "Allow",
"Action": [
    "execute-api:Invoke",
    "execute-api:ManageConnections"
],
"Resource": "arn:aws:execute-api:*:*:*"

Obviously didn't fix things but I did notice that the access advisor shows that the particular policy isn't being accessed.

Next, I went into the resource policy in API Gateway to see if there was something there. I removed some Ip Address conditions that were set up to restrict access to the office's Ip Addresses.

I've look inside of WAF and Shield and can't see anything that would be related to invoking the API. At this point I am at a lost on where my next investigation should start.

Edit

Here's the responce I'm getting back.

"requestId": "********-82f8-11e9-a732-0b550cf3fcd6",
"ip": "*.*.*.*",
"caller": "-",
"user": "-",
"requestTime": "30/May/2019:16:32:50 +0000",
"httpMethod": "GET",
"resourcePath": "/*/ref-data/{proxy+}", "status": "403", "protocol": "HTTP/1.1", "responseLength": "185"

Interlining answered 30/5, 2019 at 16:17 Comment(2)

Do you have an authorizer configured? – Curriculum 3/12, 2019 at 21:3

Seems to be answered here: #53016610 – Hypostyle 4/5, 2021 at 15:55

Below are the steps you need to perform.

For API method - Make Auth = IAM

For API resource policy make sure you allow traffic coming from selected IAM role for specific/all methods

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::###############:role/###########"
        },
        "Action": "execute-api:Invoke",
        "Resource": "arn:aws:execute-api:ap-southeast-1:###########:/#########/*/POST/####/####/"
    }
]

}

Make sure same IAM role is attached to entities from where this API is being called e.g. EC2 - if your code resides on EC2
Make sure your API calls are not plain curl calls, they are aws sigv4 signed

Hope this works!

Wrist answered 31/5, 2019 at 11:4 Comment(1)

That is a secure solution! – Union 30/11, 2021 at 13:24

In this case it turned out the major blocker was the API gateway IP Restrictions set in the policy were getting in the way. I did not realise that changes made didn't take affect until (re)deployment. Once I did that with updated IP restrictions the API endpoint could be invoked.

Interlining answered 31/5, 2019 at 13:5 Comment(0)

Your role's policy which allows execute-api:Invoke appears to be correct, but the error message you provided says User: anonymous is not authorized to perform.... If you're expecting your role to be attempting this action, then something is wrong because your attempting the action with a user named anonymous.

The role that you use to build your stack isn't necessarily the role that is used to execute functions on that stack. I recommend you double check all of your IAM entities throughout and clearly identify and understand what each one is attempting to do. Make sure that whatever is invoking your function is actually the role you want with the correct policy attached.

Hope this helps!

Maximomaximum answered 30/5, 2019 at 18:4 Comment(0)

Recommended topics

Hot tags