Reputation: 4116
AWS API Gateway: User anonymous is not authorized to execute API
Trying to post to an API I've created in API gateway:
{
"Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:***********:jrr7u1ekrr/v0/POST/user"
}
How can I update the policy in CloudFormation to make publicly available the POST endpoint? I'm declaring the API with the AWS::ApiGateway::RestApi resource type.
the API policy property is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/*/POST/user"
}
]
}
Upvotes: 67
Views: 111585
Answers (8)
Reputation: 552
Please check the following
Step - 1: Ensure that the IAM User has policy AmazonAPIGatewayInvokeFullAccess attached.
Step - 2: Ensure that the API Gateway has whitelisted the AWS Account in the Resource Policy.
Step - 3: If the IAM User has been created recently it will take around 5 - 10 mins for the policy to reflect, please be patient.
Upvotes: 0
Reputation: 5037
As others have pointed out this issue is most likely caused by not having a correct Resource Policy on the API. I suggest you use the example from the AWS Docs here Example: Allow private API traffic based on source VPC or VPC endpoint policy from AWS docs.
Use the VPC Endpoint version and set the SourceVpce to be the id of your API Gateway VPC Endpoint. Once saved API Gateway will automatically populate the endpoint details, refresh the page to see the updated policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
],
"Condition" : {
"StringNotEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
As others have noted any changes to the Resource Policy requires you to Redeploy your API. Wait at least 30 seconds after you've deployed before you test again.
Upvotes: 3
Reputation: 692
This is not an answer to the question, but for those who come up with the same error message.
I was using a resource policy to try to whitelist requests to an AWS API Gateway by IP, but I was getting the error mentioned by the OP:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{SOME_IP_ADDRESS}/32"
}
}
},
{
"Sid": "",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}"
}
]
}
What I've learnt:
On the one hand, no resource policy means allow all requests.
On the other hand,
Denystatements take precedence overAllowstatements. (Meaning all requests were denied)Lastly, if a resource policy exists, any request that does not match a statement gets denied.
Hence, to allow requests to API GW only from a certain IP, I ended up using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:{ACCCOUNT_ID}:{API_GW_ID}/{STAGE}/{METHOD}/{PATH}",
"Condition": {
"IpAddress": {
"aws:SourceIp": "{SOME_IP_ADDRESS}/32"
}
}
}
]
}
Upvotes: 1
Reputation: 284
After the policy changes you need to redeploy the application for changes to propagate. To re-deploy -
- Go API Gateway.
- Go to resource.
- Click on the "Actions" drop down. click on Deploy API.
Upvotes: 7
Reputation: 311
Even if the Authorization is set to NONE for your OPTIONS method, it will check the resource policy if you have one.
You can make your OPTIONS method public available by setting the following API gateway resource policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:{REGION}:{AWS_ACCOUNT}:{YOUR_API_ID}/{YOUR_API_STAGE}/OPTIONS/*"
}
]
}
Ckeck How API Gateway Resource Policies Affect Authorization Workflow
Upvotes: 21
Reputation: 636
In
"Resource": "execute-api:/*/POST/user"
Set your Account ID instead of *
And then re-deploy.
Kr,
Upvotes: 1
Reputation: 13859
Something that tripped me up: "If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the resource policy to take effect."
Upvotes: 73
Reputation: 3121
The issue is probably on the method declaration part. You will need to have authorizationType set to NONE in your AWS::ApiGateway::Method declaration.
Upvotes: 2
Related Questions
- Cloudformation: Invalid permissions on Lambda function found with API GW Integration
- Getting an error trying to create an AWS API Gateway via Cloudformation
- Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::XXXXXXXXXXXX:role/auth
- AWS anonymous is not authorized to perform: execute-api:Invoke on resource. Private API Gateway
- How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?
- Issues authenticating with AWS API Gateway error "IncompleteSignatureException"
- AWS API Gateway: User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:
- CloudFormation API Gateway Lambda integration request not getting right permissions?
- Failed to create API Gateway
- Lambda permissions error when setup using CloudFormation and API Gateway proxy