如何拒绝 public 访问 AWS API 网关,同时仅允许特定角色访问?
How can I deny public access to an AWS API gateway while allowing access by only a specific role?
我想拒绝 public 访问 AWS API 网关,并且只允许在使用特定角色调用 API 时访问。在我的测试中有两个网关,一个调用另一个:
Public Gateway -> Private Gateway
我希望能够在浏览器中访问 Public 网关端点并接收 2XX 响应,而在直接访问专用网关时我应该接收 4XX 响应。访问专用网关的唯一方法应该是通过 Public 网关(每个端点代理到专用网关)。
我试过几种策略。所有这些总是导致 Public 网关错误日志显示如下:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9012:abcd123456/dev/GET/products
Public 网关收到该错误消息作为私有网关的响应。
以下是我(分别)尝试过的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role",
"arn:aws:iam::123456789012:root"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
我已重新部署每个资源策略更改,并在测试前等待一分钟。
角色在 Public 网关的 serverless.yml 设置中分配:
service: test-gateway
provider:
name: aws
runtime: nodejs12.x
apiGateway:
shouldStartNameWithService: true
role: arn:aws:iam::123456789012:role/test-apigateway-role
试试这个怎么样?
根据 the docs,如果您 不 指定明确的 Deny,然后提供具体的 Allow,它应该工作。如果没有,请继续分享您的输出,我很感兴趣。
更新:我删除了拒绝 * 部分,这意味着我们将隐式拒绝未在 [=12= 中明确声明的请求] 陈述。这是根据会话策略(参见文档 link)
更新2:查看这个回答的评论,作者也提到了- added authorizer: aws_iam to serverless.yml
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
]
}
]
}
我想拒绝 public 访问 AWS API 网关,并且只允许在使用特定角色调用 API 时访问。在我的测试中有两个网关,一个调用另一个:
Public Gateway -> Private Gateway
我希望能够在浏览器中访问 Public 网关端点并接收 2XX 响应,而在直接访问专用网关时我应该接收 4XX 响应。访问专用网关的唯一方法应该是通过 Public 网关(每个端点代理到专用网关)。
我试过几种策略。所有这些总是导致 Public 网关错误日志显示如下:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9012:abcd123456/dev/GET/products
Public 网关收到该错误消息作为私有网关的响应。
以下是我(分别)尝试过的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role",
"arn:aws:iam::123456789012:root"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
我已重新部署每个资源策略更改,并在测试前等待一分钟。
角色在 Public 网关的 serverless.yml 设置中分配:
service: test-gateway
provider:
name: aws
runtime: nodejs12.x
apiGateway:
shouldStartNameWithService: true
role: arn:aws:iam::123456789012:role/test-apigateway-role
试试这个怎么样?
根据 the docs,如果您 不 指定明确的 Deny,然后提供具体的 Allow,它应该工作。如果没有,请继续分享您的输出,我很感兴趣。
更新:我删除了拒绝 * 部分,这意味着我们将隐式拒绝未在 [=12= 中明确声明的请求] 陈述。这是根据会话策略(参见文档 link)
更新2:查看这个回答的评论,作者也提到了- added authorizer: aws_iam to serverless.yml
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
]
}
]
}