可以从另一个帐户的VPC将白名单私有API GW API列入白名单 [英] Whitelist private API GW api to be accessible from a VPC from another account
问题描述
我在Amazon API Gateway中有一个私有API我想被另一个帐户使用,并由具有VPC支持的lambda来使用.我修改了API ResourcePolicy,以允许根据
I have a Private API in Amazon API Gateway that I want to be consumed from another account, by a lambda with VPC support. I modified the API ResourcePolicy to allow private API traffic based on source VPC as specified here, in the last example. This is how my ResourcePolicy looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:my-region:my-account:api-id/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "my-vpce"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": ""arn:aws:execute-api:my-region:my-account:api-id/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "my-vpc-from-another-account"
}
}
}
]
}
现在,当我尝试使用 https://my-api-id.execute-api.us-west-2.amazonaws.com/my-stage/
端点使用API时,我收到 getaddrinfo ENOTFOUND
错误.这是公开私有API以便从另一个帐户从VPC访问的适当方法吗?
Now, when I try to consume the API using https://my-api-id.execute-api.us-west-2.amazonaws.com/my-stage/
endpoint, I get getaddrinfo ENOTFOUND
error. Is this the appropriate way to expose private API to be accessible from a VPC from another account?
推荐答案
aws:SourceVpc
和 aws:VpcSourceIp
对应于VPC端点所在的VPC,不是,作为来源"会建议发出请求的VPC.
aws:SourceVpc
and aws:VpcSourceIp
correspond to the VPC in which the VPC Endpoint resides, not, as "source" would suggest, the VPC from which the request originates.
至少,当流量通过Transit Gateway路由时,我可以确认这是真的,我还没有使用VPC对等测试.
At least, I can confirm that's true when the traffic is routed over Transit Gateway, I haven't tested this with VPC Peering.
当您的VPC端点与请求所来自的VPC不在同一个VPC中时,您不能使用aws:SourceVpc或aws:VpcSourceIp来限制基于请求来源的访问.
When your VPC Endpoint resides in a different VPC than the VPC the request is coming from, you cannot use aws:SourceVpc or aws:VpcSourceIp to restrict access based on the request origin.
如果您需要限制访问权限以仅允许来自特定VPC的请求,则实际上只有一个可靠的选择,那就是在请求源VPC中创建VPC端点,并使用 aws:SourceVpc
在资源策略中.
If you have a requirement to restrict access to only allow requests that originate from a particular VPC, there's really only one solid option, and that's to create a VPC Endpoint in the request origin VPC, and use aws:SourceVpc
in the resource policy.
我已通过AWS Support确认了这一点,并已反馈此文档需要对此进行一些改进.
I have confirmed this with AWS Support, and have passed on feedback that the documentation is in need of some improvement on this point.
这篇关于可以从另一个帐户的VPC将白名单私有API GW API列入白名单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!