I want to allow Cognito authenticated users to invoke API Gateway endpoint but restrict them to their own resources like
'/users/<IdentityID>/*'.
I have prepared an IAM role like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:ap-northeast-1:*:MyAPIID/*/*/users/${cognito-identity.amazonaws.com:sub}*"
]
}
}
But on this setting, I get a 403 error when I try to invoke.
If I replace the ${cognito-identity.amazonaws.com:sub} to actual Identity ID (like ap-northeast-1%3Ad8515ae9-62b5-4cba-af5c-195f5d7e1d07), it works.
We cannot use ${cognito-identity.amazonaws.com:sub} on API Gateway resource, can we?
That is correct. Currently, it's only a shortcut for S3 and DynamoDB.
Related
I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).
My IAM User policy is like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
and in my api gateway I applied the resource policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my account id>:root",
"arn:aws:iam::<my account id>:user/postman-user"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
}
]
}
I applied the key id and secret key id in postman:
enter image description here
then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
I thought it was postman failed to sign this AWS sigV4, then I tried this in python:
url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'
auth = AWSRequestsAuth( aws_access_key='<my key id>',
aws_secret_access_key='<my secret key>',
aws_host='ec2.amazonaws.com',
aws_region='us-west-2',
aws_service='api')
response = requests.get(url, auth=auth)
This error is just forever for me
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times ...
tried python, tried postman, nothing works
it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.
Link:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html
This is an API Gateway config issue:
Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.
I use oidc between github actions and aws to get temporary credentials. The role that is assumed has the following permissions.
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-west-2:accountid:apiid/*"
]
}
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": "arn:aws:apigateway:us-west-2::/apis/apiid"
The error that i get while logging the request in api gateway is the following
{ "requestId":"fsdfd", "ip": "my_ip", "requestTime":"my_time",
"httpMethod":"GET","routeKey":"GET /api-path",
"status":"403","protocol":"HTTP/1.1",
"responseLength":"23","responseerror":"Forbidden","error":"
"Forbidden"","accountid":"-","properties":"-","responsetype":"ACCESS_DENIED","integration_error":"-"}
I am not getting a specific error to be able to debug.
The api gateway url works without iam authorizer. I have also used policy simulator to check if the role that is assumed through oidc has permissions to access the api gateway resource and it comes back as "allowed". so not sure where the 403 forbidden error comes.
Note: I call the api gateway from github action using sigv4 over the temporary credentials.
{
"Version": "2012-10-17",
"Id": "Policy1612574490300",
"Statement": [
{
"Sid": "Stmt1612574488073",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:ec2:us-east-1:258977512672:instance/i-041123c1993c370ba"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
response is Invalid Principal. I dont see why it's invalid.
An EC2 instance isn't a valid principal. I think what you actually need to do here is use the ARN of the IAM role assigned to the EC2 instance.
You can specify following Principal in a policy
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
S3 Documentation Principal
AWS JSON policy elements: Principal
If you wanna give that instant access to the bucket then you can use Instance profiles
Let's say I've 10 API's under my account and 10 users. Each user is responsible for their own API.
Is there way to configure in a way that when each user login and go to API gateway they do not see 10 API's and only see the one they're responsible for it?
You can achieve it by giving resource level permission to each IAM user. As below example, Under the Resource array, you can specify the API ARN for each IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/a123456789/*"
]
}
]
}
Please look into the below document for more details.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-iam-policy-examples.html
I have been looking to find out how it would be possible to use AWS cognito groups to restrict access to API endpoints based on cognito group policies.
I have created the ID pool with user pool.
Added a cognito group policy then associated it to an IAM policy.
In the policy it gives access to the API gateway endpoint ARN
There is an authorizer which uses the AWS cognito pool
The issue is that if a cognito user has not been added to the group in cognito then they should not have access to the API gateway endpoint. Currently it still allows access when the group has not been assigned to that user.
Here is my policy, which is set in the cognito group.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:0:xxxx/*/*/*"
},
{
"Effect": "Allow",
"Action": [
"cognito-sync:*"
],
"Resource": "arn:aws:cognito-sync:eu-west-1:x:identitypool/eu-west-2:0"
}
]
}
Thankyou