AWS API Gateway: User anonymous is not authorized to execute API

Asked 26/10, 2018 at 20:45 Answered 25/3, 2023 at 19:24

Solved amazon-web-services aws-cloudformation aws-api-gateway

Trying to post to an API I've created in API gateway:

{
    "Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:***********:jrr7u1ekrr/v0/POST/user"
}

How can I update the policy in CloudFormation to make publicly available the POST endpoint? I'm declaring the API with the AWS::ApiGateway::RestApi resource type.

the API policy property is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "execute-api:/*/POST/user"
        }
    ]
}

Doralin answered 26/10, 2018 at 20:45 Comment(3)

FYI if you're seeing this you need to update the Resource Policy on your API Gateway – Doralin 12/2, 2019 at 20:1

thank you! this was my problem. fixed now. thanks again – Vern 7/3, 2020 at 12:48

For CORS people: Also note even if you only have Allows in your resource policy, it will deny everything else. So if you have anything in your resource policy you need to add an Allow for the OPTIONS endpoint, even if auth is disabled on the endpoint. – Garman 5/5, 2023 at 18:32

Something that tripped me up: "If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the resource policy to take effect."

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html

Rozele answered 27/2, 2019 at 18:41 Comment(3)

After redeploying it, my API became available. This solution works for me. This answer should be marked as the correct answer. – Baras 8/1, 2020 at 2:23

Also, it seem that it might take a few seconds after the deploy button has been pressed before it takes effect. – Suzerainty 10/12, 2020 at 20:56

aws should provide deploy button wherever there is option to change configuration so that user don't spend hours figuring out why something is not working – Vulgar 16/4, 2021 at 20:54

Even if the Authorization is set to NONE for your OPTIONS method, it will check the resource policy if you have one.

You can make your OPTIONS method public available by setting the following API gateway resource policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:{REGION}:{AWS_ACCOUNT}:{YOUR_API_ID}/{YOUR_API_STAGE}/OPTIONS/*"
        }
    ]
}

Ckeck How API Gateway Resource Policies Affect Authorization Workflow

Runlet answered 26/3, 2020 at 15:35 Comment(0)

After the policy changes you need to redeploy the application for changes to propagate. To re-deploy -

Go API Gateway.
Go to resource.
Click on the "Actions" drop down. click on Deploy API.

Thetes answered 24/9, 2019 at 12:3 Comment(0)

As others have pointed out this issue is most likely caused by not having a correct Resource Policy on the API. I suggest you use the example from the AWS Docs here Example: Allow private API traffic based on source VPC or VPC endpoint policy from AWS docs.

Use the VPC Endpoint version and set the SourceVpce to be the id of your API Gateway VPC Endpoint. Once saved API Gateway will automatically populate the endpoint details, refresh the page to see the updated policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                    "aws:SourceVpce": "vpce-1a2b3c4d"
                }
            }
        }
    ]
}

As others have noted any changes to the Resource Policy requires you to Redeploy your API. Wait at least 30 seconds after you've deployed before you test again.

Navada answered 15/3, 2023 at 16:34 Comment(0)

The issue is probably on the method declaration part. You will need to have authorizationType set to NONE in your AWS::ApiGateway::Method declaration.

Calley answered 26/10, 2018 at 21:2 Comment(3)

thanks roxxypoxxy, I do have the method auth set to none: ``` "Type": "AWS::ApiGateway::Method", "Properties": { ... "AuthorizationType": "NONE", ``` – Doralin 26/10, 2018 at 21:7

Now that I see your edited post, can you try tweaking the resource as documented here docs.aws.amazon.com/apigateway/latest/developerguide/…. The resource declaration you have does not seem to follow the pattern referred in the doc – Calley 26/10, 2018 at 23:17

You're wrong. This error message is not about method authorization. – Ossify 9/7, 2019 at 15:27

"Resource": "execute-api:/*/POST/user"

Set your Account ID instead of *

And then re-deploy.

Kr,

Glialentn answered 16/10, 2019 at 12:58 Comment(1)

another team at my job has it setup similarly with the wildcard , and it works for them. Like this - "Resource": !Join ["", ["execute-api:/", !Ref EnvironmentSuffix, "/"]], – Vansickle 6/1, 2020 at 18:16

This is not an answer to the question, but for those who come up with the same error message.

I was using a resource policy to try to whitelist requests to an AWS API Gateway by IP, but I was getting the error mentioned by the OP:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{SOME_IP_ADDRESS}/32"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}"
        }
    ]
}

What I've learnt:

On the one hand, no resource policy means allow all requests.
On the other hand, Deny statements take precedence over Allow statements. (Meaning all requests were denied)
Lastly, if a resource policy exists, any request that does not match a statement gets denied.

Hence, to allow requests to API GW only from a certain IP, I ended up using the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "{SOME_IP_ADDRESS}/32"
                }
            }
        }
    ]
}

Elegy answered 20/1, 2023 at 11:29 Comment(0)

Please check the following

Step - 1: Ensure that the IAM User has policy AmazonAPIGatewayInvokeFullAccess attached.

Step - 2: Ensure that the API Gateway has whitelisted the AWS Account in the Resource Policy.

Step - 3: If the IAM User has been created recently it will take around 5 - 10 mins for the policy to reflect, please be patient.

Tarantass answered 25/3, 2023 at 19:24 Comment(0)

Recommended topics

Hot tags