logo标签列表

AWS API网关 - 私有端点 - 消息被禁止

amazon-web-servicescurlaws-api-gatewayamazon-vpc
3
我正在尝试设置一个私有的AWS API网关,并从我的笔记本电脑连接到它。笔记本电脑位于通过AWS Direct Connect连接到私有VPC的网络中。我正在使用由AWS提供的玩具示例"PetStore" API来实现这个目的。
根据此指南
- 建立了一个API Gateway服务端点到我的VPC(禁用了私有DNS) - 给它一个安全组,允许来自本地网络的所有入站流量(即我的笔记本所在网络) - 创建了私有API的API Gateway - 更新了资源策略 - 将API部署为stage V1
假设:
- AWS账号:123456789012 - AWS区域:eu-central-1 - API Gateway ID:abcdefghij - API阶段:V1 - VPC Endpoint Domanin:vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com - VPC Endpoint IP:10.10.10.10
要调用我的API,我调用以下cURL命令:
curl -v https://vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com/V1/pets -H 'Host: abcdefghij.execute-api.eu-central-1.amazonaws.com' --noproxy "*"

这是结果:

*   Trying 10.10.10.10...
* TCP_NODELAY set
* Connected to vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com (10.54.251.244) port 443 (#0)
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 240 bytes...
* schannel: sent initial handshake data: sent 240 bytes
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4000
* schannel: encrypted data buffer: offset 4000 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5024 length 5024
* schannel: encrypted data length: 95
* schannel: encrypted data buffer: offset 95 length 5024
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 252
* schannel: encrypted data buffer: offset 347 length 5024
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5024
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /V1/pets HTTP/1.1
> Host: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 364
* schannel: encrypted data buffer: offset 364 length 103424
* schannel: decrypted data length: 283
* schannel: decrypted data added: 283
* schannel: decrypted data cached: offset 283 length 102400
* schannel: encrypted data length: 52
* schannel: encrypted data cached: offset 52 length 103424
* schannel: decrypted data length: 23
* schannel: decrypted data added: 23
* schannel: decrypted data cached: offset 306 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 306 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 306
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Fri, 25 Oct 2019 11:32:01 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: a5aa9f76-4e3b-4315-838a-e859fa192ade
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: jdsak!291kd
<
{"message":"Forbidden"}* Connection #0 to host vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com left intact
* Rebuilt URL to: abcdefghij.execute-api.eu-central-1.amazonaws.com'/
* Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
* Closing connection 1
curl: (6) Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'

有这个 {"message":"Forbidden"} 的提示,我不确定它是从哪里来的。还有一个错误 Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com

我的问题是:这个问题是从哪里引起的?

附录

资源策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}
你想使用哪种方法?是Get?Post?还是Put? - Amit Baranes
我正在尝试使用GET请求 - mLC
你有任何更新吗? - Amit Baranes
不,我们尝试更改资源策略,甚至将其从直接连接设置转移到纯AWS(VPC中的EC2->端点->API),但问题仍然存在。 - mLC
试着创建一个新的API网关,不要使用Pets模板。如果需要说明文档,我已经写好了,请在LinkedIn上联系我。 - Amit Baranes
3个回答
1

我遇到了一个类似的问题,与资源策略有关。尝试使用以下策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:${AWS_REGION}:${AWS_ACCOUNT_ID}:${API_GETWAY_ID}/*/*/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "${VPC_ENDPOINT_ID}"
                }
            }
        }
    ]
}

此外,请确保VPC终端点ID包括您的vpce:

enter image description here

资源策略可能应该使用“允许”:“StringEquals”,而不是“StringNotEquals”,因为这符合“拒绝”的模板;但是很好的建议 - 我会尝试使资源策略更加明确。 - mLC
我正在调用一个私有端点,因此使用VPC端点域:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html - mLC
让我们在聊天中继续这个讨论 - Amit Baranes
1
感谢 @amit 的回答和指导,不知怎么地它开始工作了 = 我刚才发布了答案 :) - mLC
很高兴我能帮助到你。 - Amit Baranes
显示剩余4条评论
0

之前的AWS API网关私有API配置文档有点误导,我已经更新了文档。

当您创建私有API网关时,有两个关键字段需要注意:

  1. VPC端点ID
  2. VPC ID

对于“API->您的API->设置”下的VPC端点配置:

Endpoint Configuration:
   VPC End Point ID:
       *Your VPC End Point ID(This is the VPC End point ID with     
    com.amazonaws.ap-southeast-1.execute-api permission)

在“APIs->您的API->资源策略”下,配置资源策略:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:sourceVpc": "Change to your VPC ID"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}
1
这对我起作用了。但是除非您重新部署API,否则更新的策略不会生效。 - Jim
0
最终,这确实与资源策略有关。在尝试了其他方法后,我们回到了以前的策略,不知何故它开始工作了(也许我们第一次忘记部署API了)。
以下是对我们有效的策略:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
        }
    ]
}
“Principal”: “*” 给予公共访问权限,那么私有访问权限的主体应该是什么?例如,它应该特定于用户会话并基于服务帐户。 - Vamsi
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接