API Gateway - invalid policy document, check policy syntax

Question

Building API Gateway resource policy over AWS Console. I have the API Gateway inside the VPC.

Error Invalid policy document. Please check the policy syntax and ensure that Principals are valid.

Here's the Resource Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:*:*:*/*"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:*:*:*/*"
      ],
      "Condition" : {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-0c11234510819ewqe"
        },
        "StringNotEquals": {
          "aws:SourceVpce": "vpc-er345453yrt4543t"
        }
      }
    }
  ]
}

OARP · Accepted Answer

In the condition statement if you want to indicate multiple VPCs then you need to declare as a list:

"Condition" : {
    "StringNotEquals": {
      "aws:SourceVpc": [
        "vpc-0c11234510819ewqe",
        "vpc-er345453yrt4543t"
        ]
    }
  }

Adittionally, in Resource field, remove the arn:aws:

Finally, the resource policy looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "execute-api:*:*:*/*"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "execute-api:*:*:*/*"
      ],
      "Condition" : {
        "StringNotEquals": {
          "aws:SourceVpc": ["vpc-0c11234510819ewqe","vpc-er345453yrt4543t"]
        }
      }
    }
  ]
}

Reference:

API Gateway resource policy examples

API Gateway - invalid policy document, check policy syntax

Answers (1)

Related Questions