我已经在 AWS API 网关中创建了一个私有 API,使用内部应用程序 LoadBalancer 作为 GET 方法的 HTTP_PROXY 集成请求。
我还将资源策略附加到此 API,并为子网创建接口端点 (VPC 端点)。当我从 API 网关测试接口测试此策略时,我收到以下错误消息。
******************************
Execution log for request 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : Starting execution for request: 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : HTTP Method: GET, Resource Path: /
Mon Apr 22 19:47:05 UTC 2019 : Method request path: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request query string: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request headers: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request body before transformations:
Mon Apr 22 19:47:05 UTC 2019 : Execution failed due to configuration error: Invalid endpoint address
Mon Apr 22 19:47:05 UTC 2019 : Method completed with status: 500
**************************************************************
但是,当我从私有子网中的 EC2 实例测试此策略时,我收到了略有不同的错误消息。
我在 AWS API 网关中创建了一个私有 API,使用内部应用程序负载均衡器作为 HTTP_PROXY 集成,并将资源策略附加到它。我还为子网创建了接口端点(VPC 端点)。当我从 API 网关测试接口测试此策略时,出现以下错误消息。
[ec2-user@ip-10-0-3-21 ~]$ curl -vvvv https://w4ipx30rt1.execute-api.us-east-1.amazonaws.com/dev/
* Trying 10.0.3.157...
* TCP_NODELAY set
* Connected to w4ipx30rt1.execute-api.us-east-1.amazonaws.com (10.0.3.157) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.execute-api.us-east-1.amazonaws.com
* start date: Oct 9 00:00:00 2018 GMT
* expire date: Oct 9 12:00:00 2019 GMT
* subjectAltName: host "w4ipx30rt1.execute-api.us-east-1.amazonaws.com" matched cert's "*.execute-api.us-east-1.amazonaws.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET /dev/ HTTP/1.1
> Host: w4ipx30rt1.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Mon, 22 Apr 2019 19:54:52 GMT
< Content-Type: application/json
< Content-Length: 154
< Connection: keep-alive
< x-amzn-RequestId: 7e95530e-6538-11e9-afa4-df5f4a3d30a4
< x-amzn-ErrorType: AccessDeniedException
< x-amz-apigw-id: YjlR_Hn2IAMFZyg=
<
* Connection #0 to host w4ipx30rt1.execute-api.us-east-1.amazonaws.com left intact
**"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9165:w4ipx30rt1/dev/GET/"[_ec2-user@ip-10-0-3-21 ~]****
以下是我的资源政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:region:us-east-1:*********:w4ipx30rt1/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-**********"
}
}
}
]
}
谢谢 !