'How to use Serverless to Attach an API Gateway Resource Policy
Im having a bug in which we're trying to attach a resource policy to an AWS API Gateway from one of our Serverless stacks that is deployed to AWS. We're using Kong to control where the request come from that is then pointed to API gateway, Before attaching the policy, the endpoint was invoked fine, however, after attaching the policy we're seeing an error of:
"message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:*******8888:<PHYSICAL_ID>/dev/GET/<SOME_ENDPOINT>"
I've been referencing the Serverless AWS CLI docs: https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#api-gateway-v1-rest-api
I can also see the policy get attached in CloudFormation:
{
"Type":"AWS::ApiGateway::RestApi",
"Properties":{
"Name":"<STACK_NAME>",
"EndpointConfiguration":{
"Types":[
"EDGE"
]
},
"Policy":{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":"*",
"Action":[
"execute-api:Invoke"
],
"Resource":"execute-api:/*/*/*",
"Condition":{
"IpAddress":{
"aws:SourceIp":[
"<IP ADDRESS 1>",
"<IP ADDRESS 2>"
]
}
}
}
]
},
"MinimumCompressionSize":1024
}
Here is how I have it defined in my .yml file
resourcePolicy:
- Effect: Allow
Principal: '*'
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
Condition:
IpAddress:
aws:SourceIp:
- <IP ADDRESS 1>
- <IP ADDRESS 2>
Does anyone have any advice or insight as to what else I should be looking for?
Thanks
amazon-web-servicesamazon-cloudformation">
amazon-cloudformationaws-api-gatewayserverless
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|