The client is not authorized to perform this operation" Error with Amazon EventBridge call to API Gateway

0

I am encountering an error when attempting to invoke an API Gateway endpoint from Amazon EventBridge. Despite configuring the IAM policy and resource policy for API Gateway correctly, I am still receiving the "The client is not authorized to perform this operation" error.

API Gateway Resource Policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "execute-api:Invoke", "Condition": { "ArnEquals": { "arn:aws:events:ap-southeast-1:8122672658:rule/eb-event/eb-rule-prod" } }, "Resource": [ "execute-api:/stage/GET/api" ] } ] } Error: "The client is not authorized to perform this operation."

2 Answers
1
Accepted Answer

Hello, If the resource policy works fine without the condition block but denies access on adding the condition block, thats most likely will be due to an error in the arn format / incorrect values for region, account-id, rulename. Re-validate the arn format and values to ensure there are no typo/errors.

Alternatively, In the condition block, try using the ArnLike instead of ArnEquals to check if that works?

Also, have you checked if the resource policy doesnt have any other statement which could result in deny access? Lastly, you would have to enable AWS CloudTrail logs for both Eventbridge and API Gateway and review the logs to find any additional error messages that could be denying the operation.

AWS
answered 2 months ago
  • I try using the ArnLike instead of ArnEquals but not work, this is resource policy in API GW, i dont think it wrong { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:ap-southeast-1:83314353658:mdfkl1e0p1/", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:events:ap-southeast-1:83314353658:rule/eb-event/eb-rule" } } }

1

Have you tried removing the condition block from the IAM resource policy to validate if that allows execution to run through? This way, atleast you could ensure that there are no other issues with permissions. Thereafter, you add a condition block to further restrict the access to an eventbridge rule based on specific conditions

AWS
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions