2

I have a Private API in Amazon API Gateway that I want to be consumed from another account, by a lambda with VPC support. I modified the API ResourcePolicy to allow private API traffic based on source VPC as specified here, in the last example. This is how my ResourcePolicy looks like:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": "arn:aws:execute-api:my-region:my-account:api-id/*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "my-vpce"
            }
        }
    },
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "execute-api:Invoke",
        "Resource": ""arn:aws:execute-api:my-region:my-account:api-id/*",
        "Condition": {
            "StringEquals": {
                "aws:SourceVpc": "my-vpc-from-another-account"
            }
        }
    }
]
}

Now, when I try to consume the API using https://my-api-id.execute-api.us-west-2.amazonaws.com/my-stage/ endpoint, I get getaddrinfo ENOTFOUND error. Is this the appropriate way to expose private API to be accessible from a VPC from another account?

Reza Mousavi
  • 4,420
  • 5
  • 31
  • 48
user2534830
  • 198
  • 2
  • 10
  • 1
    I don't believe that you can configure cross-account access. You'd probably need VPC peering (within region only, and limited to certain instance types afaik). – jarmod Sep 17 '18 at 13:19
  • @jarmod From documentation (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html): _specified virtual private clouds (VPCs) or VPC endpoints (in any account)_ . That makes me think that is achievable, but I can't find any example. – user2534830 Sep 17 '18 at 13:39
  • OK, did you try allowing access to the VPC endpoint in the other account (rather than the VPC in the other account)? – jarmod Sep 17 '18 at 13:56

2 Answers2

1

Asked the guys from AWS, and the answer was that you can specify the source VPC, but only if it's in the same account.

user2534830
  • 198
  • 2
  • 10
0

aws:SourceVpc and aws:VpcSourceIp correspond to the VPC in which the VPC Endpoint resides, not, as "source" would suggest, the VPC from which the request originates.

At least, I can confirm that's true when the traffic is routed over Transit Gateway, I haven't tested this with VPC Peering.

When your VPC Endpoint resides in a different VPC than the VPC the request is coming from, you cannot use aws:SourceVpc or aws:VpcSourceIp to restrict access based on the request origin.

If you have a requirement to restrict access to only allow requests that originate from a particular VPC, there's really only one solid option, and that's to create a VPC Endpoint in the request origin VPC, and use aws:SourceVpc in the resource policy.

I have confirmed this with AWS Support, and have passed on feedback that the documentation is in need of some improvement on this point.

direvus
  • 362
  • 2
  • 6