I have an app which uses a role with this policy to invoke an API gateway:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:XXXXXXXXXX:aaaaaaaaaa/$default/POST/routename/${aws:PrincipalTag/username}"
]
}
]
}
(In govcloud, us-east-1 is changed to us-gov-west-1).
This works fine in commercial. However, I get 500 internal server errors on govcloud. Upon customizing and inspecting the logs, I find that it's an authorizer error with the error message "internal failure for IAM authorizer".
Searching this error on google yielded 0 results... Now I'm scared.
In a panic, I tried opening up all permissions more broadly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"execute-api:*"
],
"Resource": [
"*"
]
}
]
}
But this yielded the same results.
However, when I tried hitting the same endpoint using complete admin permissions, my requests went through just fine.
What can I do to stop this behavior? Are IAM Authorizers even supported on govcloud? Do I need to add more permissions?