AWS API网关-专用endpoint-禁止消息
我正在尝试设置一个专用AWS API网关,并从笔记本电脑连接到它。笔记本电脑驻留在一个直接连接到专用VPC的网络中。为此,我使用AWS提供的玩具示例“PetStore”API。
根据本指南:
- 为我的VPC建立了一个API网关服务endpoint(禁用私有DNS)
假设:
- AWS账号:123456789012
要调用API,我调用以下cURL命令:
curl -v https://vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com/V1/pets -H 'Host: abcdefghij.execute-api.eu-central-1.amazonaws.com' --noproxy "*"
这就是结果:
* Trying 10.10.10.10...
* TCP_NODELAY set
* Connected to vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com (10.54.251.244) port 443 (#0)
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 240 bytes...
* schannel: sent initial handshake data: sent 240 bytes
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4000
* schannel: encrypted data buffer: offset 4000 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5024 length 5024
* schannel: encrypted data length: 95
* schannel: encrypted data buffer: offset 95 length 5024
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 252
* schannel: encrypted data buffer: offset 347 length 5024
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5024
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /V1/pets HTTP/1.1
> Host: vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 364
* schannel: encrypted data buffer: offset 364 length 103424
* schannel: decrypted data length: 283
* schannel: decrypted data added: 283
* schannel: decrypted data cached: offset 283 length 102400
* schannel: encrypted data length: 52
* schannel: encrypted data cached: offset 52 length 103424
* schannel: decrypted data length: 23
* schannel: decrypted data added: 23
* schannel: decrypted data cached: offset 306 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 306 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 306
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 403 Forbidden
< Server: Server
< Date: Fri, 25 Oct 2019 11:32:01 GMT
< Content-Type: application/json
< Content-Length: 23
< Connection: keep-alive
< x-amzn-RequestId: a5aa9f76-4e3b-4315-838a-e859fa192ade
< x-amzn-ErrorType: ForbiddenException
< x-amz-apigw-id: jdsak!291kd
<
{"message":"Forbidden"}* Connection #0 to host vpce-1234567890.execute-api.eu-central-1.vpce.amazonaws.com left intact
* Rebuilt URL to: abcdefghij.execute-api.eu-central-1.amazonaws.com'/
* Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
* Closing connection 1
curl: (6) Could not resolve host: abcdefghij.execute-api.eu-central-1.amazonaws.com'
这里有一个{“消息”:“禁止”}我不确定它是从哪里来的。而且错误无法解析主机:abcdefghij。执行api。欧盟中央1号。亚马逊。com。
所以我的问题是:这个问题来自哪里?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
}
]
}
共有3个答案
之前的AWS API网关专用API配置文档有点误导,我推动了文档的更新。
创建专用API网关时,有两个关键字段需要注意:
- VPCendpointID
用于API下的VPCendpoint配置-
Endpoint Configuration:
VPC End Point ID:
*Your VPC End Point ID(This is the VPC End point ID with
com.amazonaws.ap-southeast-1.execute-api permission)
在API下-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "Change to your VPC ID"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
}
]
}
最后,这确实是资源策略相关的。经过其他一些尝试,我们回到了以前的策略,不知何故,它开始工作了(也许我们第一次忘记部署应用编程接口)
这是对我们有效的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:123456789012:abcdefghij/*"
}
]
}
我遇到过与资源策略相关的类似问题。尝试使用以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:${AWS_REGION}:${AWS_ACCOUNT_ID}:${API_GETWAY_ID}/*/*/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "${VPC_ENDPOINT_ID}"
}
}
}
]
}
此外,请确保VPCendpointID包括您的vpce:
-
我们正在尝试从C#Windows服务调用AWS API网关来执行后台作业。哪个应该触发API网关定期初始化请求? 我们使用RestSharp调用APIendpoint,该类称为AwsAuthenticator,它继承自RestSharp.Authenticators.IAAuthenticator。但当我们调用API Gateway时,收到的错误是“我们计算的请求签名与您提供的签名不匹配。请检查您
-
我第一次使用Spring Boot应用程序时,执行器是不安全的,所以很容易通过/acture/shutdownendpoint远程关闭。最近,我已经使用Spring安全保护了我的执行器,它已经起作用了。现在我需要提供http基本凭据来访问endpoint,但现在对/acture/shutdownendpoint的curl调用失败,出现禁止错误。我一定是配置不正确的地方。 我的卷曲命令: 我的配置:
-
我的VPC中有Public和Pvt子网。我在Pvt子网上有一些运行在EC2上的服务,需要通过外部/移动资源访问。我如何做到这一点-是VPCLink和NLB的方式来做到这一点,还是任何其他方式,创建一些访问点在公共子网(??)。Lambda似乎是答案(现在AWS中几乎所有的东西)--甚至不确定那种访问对于Pvt子网中的资源是如何工作的。 同样,同一个Pvt子网可以访问外部资源(在AWS之外)-我如何
-
我在一个私有子网中有一个lambda函数,我想通过创建一个API网关来调用这个lambda函数,并且这个API只能由公共子网中的特定EC2实例调用(私有子网和公共子网在同一个VPC中),而不能由其他任何人调用。 有人能指导/建议我如何处理这个问题吗。
-
我正在努力遵循istio网关和虚拟服务指南,网址是——https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-入口ip和端口 我可以看到这些资源(网关) 我正在看istio代理日志,在k日志http://pod-c istio代理-n my-bookinfo,并没有看到太多。我试图找出我
-
如何配置API将请求路由到NLB上的特定目标组?在VPC链接的集成点中,我只看到指定VPC链接和endpoint的选项。如果是endpoint,要路由到特定目标组的endpointURL的格式是什么? 还是我必须为每个微服务创建一个NLB?