I've an API that should only be accessed from another AWS account. I've followed some AWS documentation and this is what I've done:
Created an internal NLB in front of an ASG. All these are in a private subnet.
Created an API Gateway that connects to the NLB using a VPC Link.
Created a Custom Domain Name (via Route53) and set a certificate using ACM.
The resources use AWS_IAM as authorisation.
The resource policy grants the other account authorisation to the resource.
In the authorised account, I've created an EC2 instance and associated an IAM role with full access to the API Gateway.
When I try to connect signing the requests (using this), it works just fine. But the the request signing requires the AWS access key and secret key.
This doesn't sound right to me. What am I doing wrong? Is there another way of doing this without the credentials?
Cheers.
When required to provide the access key and secret key, I suppose you need to install the authorising app called Postman (please check out this doc:https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html).
Also, in your step 5, I think if you want to access the api gateway endpoint from an ec2, you have to firstly create a Role within that ec2 account, and then attach the Role to that ec2, finally grant the Role with api gateway permission in your current account.
Related
We're trying to access AWS Services from a private subnet in a VPC using a VPC endpoint or Private Link. We're trying to avoid adding a NAT gateway on the private subnet.
We created/added a VPC Endpoints (i.e. AWS Service for EC2 and S3)
com.amazonaws.us-east-2.ec2
com.amazonaws.us-east-2.s3
But we're not able to access something like com.amazonaws.us-east-2.iam; is there an iam endpoint or is this supported or is there any workaround
for us to use iam via VPC Endpoint on us-east-2?
Here's the error we're getting when we use the latest version of Java AWS SDK to get ec2 instance attached iam role programatically
org.apache.http.conn.ConnectTimeoutException: Connect to
iam.amazonaws.com:443 [iam.amazonaws.com/
Thanks for any information you can provide.
As of May 2022, VPC endpoint for IAM is not supported. You'd have to connect to IAM via internet. Or as a workaround, you can do IAM actions in CloudFormation.
There is a static website on AWS S3 bucket.
This site has to be available only for one team. It could be authentication system, or access via AWS Client VPN Endpoint (only this team uses AWS VPN).
I have read about S3 Access Points, VPC Endpoints, Bucket Policy with VPC and IP-restriction, made some experiments. There was an idea to restrict access only for VPC with VPN. But I can not forward bucket traffic to VPN tunnel, because my bucket IP address changes all the time.
And this way doesn't look straight.
What service or service combination can I use to implement restriction with minimum efforts?
One approach I have done in the past is using an API Gateway as a proxy to static UI content hosted in a private S3 bucket. You can either use a public or private APIGW. With public you will need an APIGW resource policy to restrict access to the VPC-endpoint. You can also use a private APIGW-- the only downside is AWS doesn't support custom DNS for private api gateways (you will be accessing your site using a url similar to https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}-- documentation). AWS also offers good documentation on creating an apigw as an s3 proxy.
In this example the flow of traffic would go: client-> vpn -> vpc endpoint -> apigw -> s3
Hopefully this helps!
I am trying to call my private API gateway from a lambda function in another AWS account. But i am getting timeout while making the call (Actually the http call is just stuck and hits my client side timeout).
In the AWS account which hosts the private AWS account i did the following
* Created my private API gateway and lambda behind the API
Create resource policy and provided access to the VPC endpoint of the other AWS caller (caller)
create VPC endpoint with private DNS enabled.
Attached policy to VPC endpoint with full access, security group with access to all traffic.
In the second AWS account (caller) i did the following
* Create VPC and VPC endpoint for API gateway with full access.
created lambda in the VPC with security group with access to all traffic (inbound and outbound)
In lambda I am using the public DNS of the VPC endpoint(Account 1) and used header 'x-apigw-api-id'
I already tried the debugging steps mentioned in this page https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-private-endpoint-connection/.
Also tried whitelisting based on the VPC ID instead of VPC endpoint ID.
Any suggestions for resolving this issue.
Just found the isssue. I was using the VPC endpoint of the other aws account while making a call. When i used the VPC endpoint of the same account it worked.
In a private subnet, We have an EC2(client) talking to server(another EC2) listening on a port.
client EC2 is assigned a role to get access to server EC2. Client and server are GOLang programs.
AWS role is mainly used to perform communication with AWS API calls between any two services(AWS) without specifying the credentials.
Does AWS role also help in client-server communication? to authenticate right client..
Not directly, no. You don't use IAM to control access between your client and your server. You use it to control access between your client and AWS services. IAM authenticates clients and authorizes them to perform specific actions against specific AWS resources.
One option that would allow your client to leverage IAM roles for authentication to your server's API would be to insert API Gateway between them. Another option is to use standard auth mechanisms such as bearer tokens, API request signing etc.
Note that, typically, you would use Security Groups to control which EC2 instances can actually talk to the server API on port N.
Is there a way to set up api gateway endpoint for lambda functions to be only accessible internally ? I don't want it to be expose to the public.
API Gateway has released a new Private Endpoint feature, which makes this possible.
The API Gateway Private Endpoint will only be accessible from VPC and it requires setting up an Interface VPC Endpoints which will be used to access the endpoint. Also, it will be required to setup a Resource Policy to grant access to the API from your VPCs and VPC endpoints.
In order to access the API endpoint from your on premises network, you can either establish a AWS Direct Connect connection or AWS VPN Connection from your on premise to the Amazon VPC.
Unfortunately, no. At the moment API Gateway Invoke URLs are public. Making them private is not possible.
You can secure your API Gateway Rest API using either IAM roles or custom authorizers.
Yes, now you can configure AWS API Gateway with private link. follow the link, but you can only access the endpoint from VPC and if you want to access that end point from your data center you will need Direct Connect.