如何在只允许特定角色访问AWS网关的同时拒绝公共访问?
我想拒绝对AWS网关的公共访问,并且只允许在调用带有特定角色的API时进行访问。在我的测试中,有两个网关,其中一个调用另一个:
Public Gateway -> Private Gateway我希望能够在浏览器中访问公共网关端点并接收一个2XX响应,当直接访问私有网关时,我应该会收到一个4XX响应。访问私有网关的唯一方法应该是通过公共网关(它通过每个端点代理私有网关)。
我尝试过好几种政策。所有这些都会导致公共网关错误日志显示如下:
User:匿名未被授权执行: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********9012:abcd123456/dev/GET/products
该错误消息由公共网关接收,作为来自私有网关的响应。
以下是我尝试过的策略(分别):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role",
"arn:aws:iam::123456789012:root"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/*/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/test-apigateway-role"
}
}
}
]
}我已经重新部署了每次资源策略更改,并在测试前等待了一分钟。
该角色在公共网关的serverless.yml设置中分配:
service: test-gateway
provider:
name: aws
runtime: nodejs12.x
apiGateway:
shouldStartNameWithService: true
role: arn:aws:iam::123456789012:role/test-apigateway-role回答 1
Stack Overflow用户
发布于 2021-01-29 17:50:24
试试这个怎么样?
根据医生们,如果您的没有指定一个显式的Deny,然后提供一个特定的Allow,那么它应该可以工作。如果没有,继续分享你的成果,我很感兴趣。
Update:我删除了拒绝*部分,这意味着对于未在Allow语句中特定声明的请求,我们将得到一个隐式拒绝。这是根据会话策略(请参阅docs链接)
更新2:查看这个答案的评论,作者还提到-添加了authorizer: aws_iam到serverless.yml
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/test-apigateway-role"
]
},
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
]
}
]
}https://stackoverflow.com/questions/65958741
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号