API gateway cannot invoke endpoint after setting resource policy

Question

Hi, I have set a resource policy for my API that enables invoke access for only one user. The user credentials are set in my machine. However, when I do curl/ do the get request from browser, I get the following error message.

{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********2:e5460wg6i/Prod/GET/"}

What I want to do is, invoke the endpoint only from EC2s that have roles attached which are allowed via the API gateway resource policy.

Answer

When you run curl from your EC2 instance it doesn't automatically use the associated role credentials when making the HTTP request and this is why you see the request as "anonymous".

You need to make an HTTP request that is signed by using [AWS Signature Version 4](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html).

You can follow [the guide here](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) on how to craft an HTTP request that is SigV4 signed.
Alternatively, you can use [awscurl](https://github.com/okigan/awscurl) tool that will simplify this process for you. And, there are also browser extensions (for example [this one for chrome](https://chromewebstore.google.com/detail/aws-agent/jjgjefclcmpfpoiinpkpbdllboockoia)) that can do it (though I haven't tried them personally, so use at your own risk).

Answer

I found the Knowledge, hope it will help you.  
Please check it out.

> Resolve "User: anonymous is not authorized to perform: execute-api:Invoke on resource:" errors

**How do I troubleshoot issues when connecting to an API Gateway private API endpoint?**  
https://repost.aws/knowledge-center/api-gateway-private-endpoint-connection

API gateway cannot invoke endpoint after setting resource policy

相關內容