How to configure APIs in API Gateway to accept traffic only from specified EC2 instances

Question

I changed the Authorization Type for API to AWS_IAM, then I created an user with the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "arn:aws:execute-api:us-east-1:account_id:api-id/stage/GET/*" ] } ] }

And tried to access this API through postman, and it worked. But when I'm giving this user's access_key_id and secret_access_key to an EC2 instance through aws configure and then trying to access the API (curl URL), its giving me Missing Authentication token.

Any help is appreciated. Thank You.

Answer 1

When your API Gateway is using AWS_IAM authentication, you must send an AWS SigV4 authenticated request to your API endpoint (just like the AWS SDKs would to the AWS APIs).

Postman has a built-in SigV4 authentication mode that makes it easy to test. However, curl does not. curl is not part of the AWS CLI, so it's not going to care what you do with aws configure. This is why it's failing with curl. Executing the command on your EC2 instance won't magically make authentication work.

In order to use curl to make a request, you will need to compute and calculate your own SigV4 signature parameters & headers to go along with the request.

I just found (what looks to be) a good curl-alternative to handle this for you:

https://github.com/okigan/awscurl

It includes an API gateway example.