如何在仅允许特定角色访问的同时拒绝对AWS API网关的公共访问? [英] How can I deny public access to an AWS API gateway while allowing access by only a specific role?
问题描述
我想拒绝对AWS API Gateway的公共访问,并且仅在以特定角色调用API时才允许访问.在我的测试中,有两个网关,一个调用另一个:
I would like to deny public access to an AWS API Gateway and only allow access when the API is invoked with a specific role. In my test there are two gateways, and one calls the other:
Public Gateway -> Private Gateway
我希望能够在浏览器中访问Public Gateway端点并收到2XX响应,而当直接访问Private Gateway时,我应该会收到4XX响应.访问专用网关的唯一方法应该是通过公用网关(它通过每个终结点代理到专用网关).
I want to be able to visit Public Gateway endpoints in a browser and receive a 2XX response, and when visiting the Private Gateway directly I should receive a 4XX response. The only way to access the Private Gateway should be via the Public Gateway (which proxies to the Private Gateway with each endpoint).
我尝试了几种政策.所有这些都会导致显示以下内容的公共网关错误日志:
I've tried several policies. All of these always result in the Public Gateway error logs showing the following:
用户:匿名无权执行:execute-api:在资源上调用:arn:aws:execute-api:us-east-1:******** 9012:abcd123456/dev/GET/产品
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9012:abcd123456/dev/GET/products
公用网关收到该错误消息,作为专用网关的响应.
That error message is received by the Public Gateway as a response from the Private Gateway.
以下是我尝试过的政策(单独):
Here are policies I've tried (separately):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role",
"arn:aws:iam::123456789012:root"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
我已对资源策略的每个更改进行了重新部署,并在测试前等待了一分钟.
I've redeployed with each Resource Policy change and waited one minute before testing.
该角色是在Public Gateway的serverless.yml设置中分配的:
The role is assigned in the Public Gateway's serverless.yml settings:
service: test-gateway
provider:
name: aws
runtime: nodejs12.x
apiGateway:
shouldStartNameWithService: true
role: arn:aws:iam::123456789012:role/test-apigateway-role
推荐答案
如何尝试?
根据文档,如果您不指定一个明确的 Deny
,然后提供一个特定的 Allow
,它应该可以使用.如果没有,请继续分享您的输出,
According to the docs, if you don't specify an explicit Deny
, and then provide a specific Allow
, it should work. If it doesn't, keep sharing your outputs, I'm intrigued.
更新:我删除了拒绝" *
部分,这意味着我们将隐式拒绝未在 Allow 中明确声明的请求.代码>语句.这是根据Sessions政策(请参阅docs链接)
Update: I removed the Deny *
part, this means we'll get an implicit deny for requests that are not specifically declared in an Allow
statement. This is according to Sessions policies (see docs link)
更新2 :检查此答案的评论,作者还提到-将 authorizer:aws_iam
添加到serverless.yml
Update 2: Check this answer's comments, the author also mentioned - added authorizer: aws_iam
to serverless.yml
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
]
}
]
}
这篇关于如何在仅允许特定角色访问的同时拒绝对AWS API网关的公共访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!