在 AWS 中调用私有 API 时出错

在 AWS 中调用私有 API 时出错

我已经在 AWS API 网关中创建了一个私有 API,使用内部应用程序 LoadBalancer 作为 GET 方法的 HTTP_PROXY 集成请求。

我还将资源策略附加到此 API,并为子网创建接口端点 (VPC 端点)。当我从 API 网关测试接口测试此策略时,我收到以下错误消息。

******************************
Execution log for request 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : Starting execution for request: 67ebbdbf-6537-11e9-898f-39f8c1447e67
Mon Apr 22 19:47:05 UTC 2019 : HTTP Method: GET, Resource Path: /
Mon Apr 22 19:47:05 UTC 2019 : Method request path: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request query string: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request headers: {}
Mon Apr 22 19:47:05 UTC 2019 : Method request body before transformations: 
Mon Apr 22 19:47:05 UTC 2019 : Execution failed due to configuration error: Invalid endpoint address
Mon Apr 22 19:47:05 UTC 2019 : Method completed with status: 500
**************************************************************

但是,当我从私有子网中的 EC2 实例测试此策略时,我收到了略有不同的错误消息。

我在 AWS API 网关中创建了一个私有 API,使用内部应用程序负载均衡器作为 HTTP_PROXY 集成,并将资源策略附加到它。我还为子网创建了接口端点(VPC 端点)。当我从 API 网关测试接口测试此策略时,出现以下错误消息。

 [ec2-user@ip-10-0-3-21 ~]$ curl -vvvv https://w4ipx30rt1.execute-api.us-east-1.amazonaws.com/dev/
*   Trying 10.0.3.157...
* TCP_NODELAY set
* Connected to w4ipx30rt1.execute-api.us-east-1.amazonaws.com (10.0.3.157) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.execute-api.us-east-1.amazonaws.com
*  start date: Oct  9 00:00:00 2018 GMT
*  expire date: Oct  9 12:00:00 2019 GMT
*  subjectAltName: host "w4ipx30rt1.execute-api.us-east-1.amazonaws.com" matched cert's "*.execute-api.us-east-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET /dev/ HTTP/1.1
> Host: w4ipx30rt1.execute-api.us-east-1.amazonaws.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Mon, 22 Apr 2019 19:54:52 GMT
< Content-Type: application/json
< Content-Length: 154
< Connection: keep-alive
< x-amzn-RequestId: 7e95530e-6538-11e9-afa4-df5f4a3d30a4
< x-amzn-ErrorType: AccessDeniedException
< x-amz-apigw-id: YjlR_Hn2IAMFZyg=
<
* Connection #0 to host w4ipx30rt1.execute-api.us-east-1.amazonaws.com left intact
**"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9165:w4ipx30rt1/dev/GET/"[_ec2-user@ip-10-0-3-21 ~]****

以下是我的资源政策。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:us-east-1:*********:w4ipx30rt1/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-**********"
                }
            }
        }
    ]
}

谢谢 !

相关内容