The AWS IAM Policy Docs for AWS (shown here) indicate that the following policy gives full access for a role to hit the API Gateway
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"*"
]
}
]
}
When simulating that policy with API Gateway as the target, the policy denies access. This seems like a direct contradiction to the provided documentation.
Amazon's permissions model divides API Gateway permissions into two services:
Amazon API Gateway - Permissions for clients, currently the only action is execute-api:invoke.
Manage - API Gateway - Admin permissions for configuring the API Gateway, which has CRUD actions fitting the apigateway:* spec.
The policy you have applies to the Manage API Gateway service, the simulation should work if you select that.
This same separation is visible in the regular IAM policy wizard, where "Manage - API Gateway" sorts to the bottom of the service list where you can't see it.
Related
I created a lambda function in AWS.
I want to trigger it by a API Gateway/http call.
after creating the http trigger i can see the following:
but when I try to use a GET/POST calls to this address I receive "internal server error".
I checked the logs and I see the following:
The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again.
What should I do? which permission I need?
Quoting from the docs here
When an API is integrated with an AWS service (for example, AWS
Lambda) in the back end, API Gateway must also have permissions to
access integrated AWS resources (for example, invoking a Lambda
function) on behalf of the API caller. To grant these permissions,
create an IAM role of the AWS service for API Gateway type. When you
create this role in the IAM Management console, this resulting role
contains the following IAM trust policy that declares API Gateway as a
trusted entity permitted to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I am trying to use an existing API gateway which is present in accountA. I am having some EC2 instances which are having some scripts to invoke the API gateway present. These instances may/may not reside in the same AWS account as the one where my API gateway is present (Let's call the other account as accountB).
For the authentication part currently, there's only AWS_IAM authentication implemented at the API gateway level. The EC2 instances (in both the accounts) are having IAM roles attached which are having IAM permissions to invoke the API.
The permission for the same looks as:
{
"Sid": "InvokeAPI",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*"
}
When I try to invoke the API from the instances which are in accountA, it is working as expected. However, when I try to invoke the API from my instances in accountB, the gateway returns a 403 error with the following message:
User: arn:aws:sts::accountB:assumed-role/invoke_api_iam_role/i-xxxxxxxxx is not authorized to access this resource
I tried to look at API gateway resource policies and tried to whitelist the accountB's EC2 IAM role in accountA API Gateway's resource policy and still, I'm getting the same error.
Current resource policy implemented at the API gateway kinda looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountB:role/invoke_api_iam_role"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:accountA:myAPIID/*"
}
]
}
For signing the requests to the API gateway through the awsv4 signature, I use aws-requests-auth
Please help to resolve this issue.
So as it turns out, everything above is correct and you need to deploy the API to a particular stage for applying the resource policy against it.
I want to give some AWS account ids access to call the api gateway that is in my account. What is the best way to do this?
I think there is a way to add resource policy that gives that AWS account access. Is that a good way to do that? I am talking about a production kind of service?
Also, does all the resouces of AWS account will get access to API gateway?
For each API Gateway endpoint we can change the Authorization option from None to AWS_IAM:
Then we can configure access to the API from the Resource Policy section of the API Gateway. From the Resource Policy page, click on the "AWS Account Whitelist" button to get a policy template, excerpted below:
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{{otherAWSAccountID}}:root",
"arn:aws:iam::{{otherAWSAccountID}}:user/{{otherAWSUserName}}",
"arn:aws:iam::{{otherAWSAccountID}}:role/{{otherAWSRoleName}}"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
}
As an alternative (or in addition) to IAM authorization, we can control usage with API Keys, which enables the ability to rate limit (throttle) API calls and to set quotas.
More info:
https://aws.amazon.com/blogs/compute/control-access-to-your-apis-using-amazon-api-gateway-resource-policies/
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
I'm trying to create a simple ApiGateway on top of a DynamoDB to add a endpoint for users to access the data trough this.
Integration type AWS Service
AWS Region eu-west-1
AWS Service DynamoDB
AWS Subdomain
HTTP method GET
Action ListResources
Execution role [iam arn]
Credentials cache Do not add caller credentials to cache key
Content Handling Passthrough
When I click the test Button i get :
Execution failed due to configuration error: API Gateway does not have permission to assume the provided role
Checked here and there but have no clue on the problem. I tried changing the permissions of the IAM user and gave him all Dynamo and APIGateway rights, but no change.
It seems the issue is linked to the fact that I used a IAM user instead of an IAM Role. I'll leave that here, maybe that will help.
First, update the execution role to use a role rather than an IAM user. Then, ensure that the role has permissions for all of the DynamoDB operations and resources that you want to access. Finally, grant API Gateway permissions to assume that role by adding an IAM trust policy as shown below.
From section "API Gateway Permissions Model for Invoking an API" on documentation page here
When an API is integrated with an AWS service (for example, AWS Lambda) in the back end, API Gateway must also have permissions to access integrated AWS resources (for example, invoking a Lambda function) on behalf of the API caller. To grant these permissions, create an IAM role of the Amazon API Gateway type. This role contains the following IAM trust policy that declares API Gateway as a trusted entity that is permitted to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I have problem with AWS API Gateway.
I create my own API and now i want that other users which are in the same group as me and have same roles to access this API via AWS Management console.
The problem is that other users can't see the API which i created (same problem with Lambda functions and DynamoDB which is also visible only for me, not for other users in group).
A simple but less secure solution is to assign the AmazonAPIGatewayAdministrator policy to the IAM Users, Groups, or Roles you want to be able to use the API Gateway. This will give them access to all APIs.
If you want to restrict access to a specific API or set of APIs you can create a custom IAM Policy for that API. You will then assign that Policy to the Roles and Groups you want to have access to the API. To create the policy, you will need the ID of the API. It's a long and convoluted process, but it works. Here are the steps:
Determine the ID of the API you want to provide access to by selecting the API Gateway service and clicking on the API. The URL in the browser will look like the following:
https://console.aws.amazon.com/apigateway/home?region=us-east-1#/apis/API_ID/resources/RESOURCE_ID
Copy the API_ID to your clipboard for use later.
Alternatively you can use the AWS CLI command: aws apigateway get-rest-apis and copy the ID from the result.
Create a new IAM Policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/clientcertificates",
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/API_ID/*"
]
}
]
}
Attach the policy to the Users/Groups/Roles you want to have access. The first Effect allows the user to see all of the APIs but not modify them. You may want to remove this if you want to be more restrictive.
Amazon has a decent write-up of the IAM Policies for API Gateway here: http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html