Which is the correct way to configure IpAddress condition in Policy document for REST API?

Question

I'm trying to allow only specific IP addresses to access my API Gateway REST API without success.

I configured the following resource policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:my-account-id:rest-api-id/*/*/*",
            "Condition": {
                "IpAddress": {
                    "aws.SourceIp": "MY.IP.MY.IP/32"
                }
            }
        }
    ]
}

But when I send a request using Postman I receive 403 forbidden.

If I set "aws.SourceIp": "0.0.0.0/0" I receive 403 as well.

If I remove the condition from the policy then it works (I don't receive 403), so I guess something is wrong with IpAdress condition.

I have a C# lambda function integrated with the REST API where I log the SourceIp to CloudWatch using the following code:

context.Logger.LogInformation($"SourceIp: {request.RequestContext.Identity.SourceIp}");

It logs the following:

2022-07-01T06:38:32.634Z 0dc80274-bbbb-494c-ba73-541f053ba5a2 info SourceIp: MY.IP.MY.IP

What am I missing? How to properly write the policy?

score 0 · Accepted Answer · answered Jul 01 '22 at 07:38

0

I changed "aws.SourceIp" to "aws:SourceIp" and problem solved. Sorry for the typo.

answered Jul 01 '22 at 07:38

Jesús López

8,338
7
40
66

Which is the correct way to configure IpAddress condition in Policy document for REST API?

1 Answers1