AWS API Gateway-专用端点-禁止消息

Question

我正在尝试设置私有AWS API Gateway并从笔记本电脑连接到它。便携式计算机位于通过AWS Direct Connect连接到专用VPC的网络中。为此，我正在使用AWS提供的玩具示例“ PetStore” API。

根据this guide：

• 为我的VPC建立了API网关服务端点（已禁用私有DNS）
• 为其设置一个安全组，该安全组允许来自 本地网络（我的笔记本电脑所在的地方）
• 创建了API网关作为私有API
• 更新了资源政策
• 将API部署为第V1阶段

假设：

• AWS帐号：123456789012
• AWS地区：eu-central-1
• API网关ID ：abcdefghij
• API阶段：V1
• VPC端点Domanin ：vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
• VPC端点IP ：10.10.10.10

要调用我的API，请调用以下cURL命令：

curl -v https://vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com/V1/pets -H 'Host: abcdefghij.execute-api.eu-central-1.amazonaws.com' --noproxy "*"

这是结果：

*   Trying 10.10.10.10...
* TCP_NODELAY set
* Connected to vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com (10.54.251.244) port 443 (#0)
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 240 bytes...
* schannel: sent initial handshake data: sent 240 bytes
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4000
* schannel: encrypted data buffer: offset 4000 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5024 length 5024
* schannel: encrypted data length: 95
* schannel: encrypted data buffer: offset 95 length 5024
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 252
* schannel: encrypted data buffer: offset 347 length 5024
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5024
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /V1/pets HTTP/1.1
> Host: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 364
* schannel: encrypted data buffer: offset 364 length 103424
* schannel: decrypted data length: 283
* schannel: decrypted data added: 283
* schannel: decrypted data cached: offset 283 length 102400
* schannel: encrypted data length: 52
* schannel: encrypted data cached: offset 52 length 103424
* schannel: decrypted data length: 23
* schannel: decrypted data added: 23
* schannel: decrypted data cached: offset 306 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 306 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 306
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Fri, 25 Oct 2019 11:32:01 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: a5aa9f76-4e3b-4315-838a-e859fa192ade
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: jdsak!291kd
<
{"message":"Forbidden"}* Connection #0 to host vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com left intact
* Rebuilt URL to: abcdefghij.execute-api.eu-central-1.amazonaws.com'/
* Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
* Closing connection 1
curl: (6) Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'

我不确定这是{"message":"Forbidden"}的来源。还有错误Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com。

所以我的问题是：这个问题来自哪里？

附录

资源政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}

Answer 1

我遇到了与资源政策有关的类似问题。尝试使用以下策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:${AWS_REGION}:${AWS_ACCOUNT_ID}:${API_GETWAY_ID}/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "${VPC_ENDPOINT_ID}"
                }
            }
        }
    ]
}

还要确保VPC端点ID包括您的vpce：

Answer 2

最后，确实与资源政策有关。经过其他尝试后，我们回到了以前的策略，并且以某种方式开始起作用（也许我们忘记了第一次部署API）

这是我们为工作的政策：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}

Answer 3

之前的AWS API网关私有API配置文档有点误导，我已经推送了文档的更新。

创建私有API网关时，有两个关键字段需要注意：

1. VPC 端点 ID
2. VPC ID

对于 APIs->Your API->Settings 下的 VPC End Point 配置：

Endpoint Configuration:
   VPC End Point ID:
       *Your VPC End Point ID(This is the VPC End point ID with     
    com.amazonaws.ap-southeast-1.execute-api permission)

在APIs->Your API->Resource Policy下，配置资源策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "Change to your VPC ID"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}