How can I troubleshoot access denied errors when invoking API Gateway APIs with a resource based policy?

Last updated: 2022-12-21

I'm getting an access denied error when invoking an Amazon API Gateway API operation with a resource policy.

Resolution

Follow these troubleshooting steps for your public or private API Gateway API operation.

Public API operations

1.    Check if the API operation has a resource policy that allows or blocks the request based on IP addresses. If you don't have access logging set up, then set up access logging for API Gateway. Access logs contain the source IP addresses for your API operations. Make sure that the IP address isn't in the deny list. The IP address or the CIDR range must explicitly allow access in the resource policy.

Example resource policy that allows only three IP addresses:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:<region>:<account_number>:<api_id>/*"
        },

        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:<region>:<account_number>:<api_id>/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "52.36.146.106",
                        "34.216.36.206/32",
                        "205.251.233.179/32"
                    ]
                }
            }
        }
    ]
}

Example resource policy that blocks two IP addresses:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:<region>:<account_number>:<api_id>/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
               "arn:aws:execute-api:<region>:<account_number>:<api_id>/*"
            ],
            "Condition" : {
                "IpAddress": {
                    "aws:SourceIp": ["52.36.146.106", "34.216.36.206/32" ]
                }
            }
        }
    ]
}

2.    The HTTP method (GET, POST) and the API Gateway resource (/,/foo,/foo/bar) for the API request must explicitly allow access. Check the resource policy attribute similar to the following:

"Resource": [
               "arn:aws:execute-api:<region>:<account_number>:<api_id>/<stage>/<http_method>/<resource_path_specifier>/*"
            ],

3.    Check if the resource policy uses other types of authentication methods or authorizers. The API Gateway evaluation of the resource policy is affected by your authentication type. Example authentication types include an AWS Lambda authorizer or Amazon Cognito authentication. Make sure that the resource policy is configured correctly for the authentication type defined for your API.

4.    Make sure that you redeploy your API request for all changes to take effect. To redeploy your API request, repeat the steps to deploy a REST API to a stage.

5.    If you are using an example API Gateway resource policy, make sure that you have configured all variables for your environment.

6.    If your resource policy only allows access to within your Amazon Virtual Private Cloud (Amazon VPC) IP addresses, then do one of the following:

Allow the router IP address and NAT Gateway IP address (public IP address) access in your resource policy.

-or-

Change the public API endpoint to a private API endpoint.

Private API operations

1.    If the resource policy has an Amazon VPC endpoint, then check the policy for the condition key. If the resource policy uses the condition key aws:SourceVpce, then its value must be the Amazon VPC endpoint ID, not the VPC ID. If the resource policy uses the condition key aws:SourceVpc, then its value must be the Amazon VPC ID, not the VPC endpoint ID.

To check the endpoint type, open the Amazon VPC console, choose Endpoints, and then choose your endpoint.

2.    Make sure that you redeploy your API request for all changes to take effect. To redeploy your API request, repeat the steps to deploy a REST API to a stage.

3.    If you're using an example API Gateway resource policy, then make sure that you configure all variables for your environment.

4.    The HTTP method (GET, POST) and the API Gateway resource (/,/foo,/foo/bar) for the API request must explicitly allow access. Check the resource policy attribute similar to the following:

"Resource": [
               "arn:aws:execute-api:<region>:<account_number>:<api_id>/<stage>/<http_method>/<resource_path_specifier>/*"
            ],

5.    Check if the resource policy uses other types of authentication methods or authorizers. The API Gateway evaluation of the resource policy is affected by your authentication type. Example authentication types include an AWS Lambda authorizer or Amazon Cognito authentication. Make sure that the resource policy is configured correctly for the authentication type defined for your API.


Did this article help?


Do you need billing or technical support?