I use oidc between github actions and aws to get temporary credentials. The role that is assumed has the following permissions.
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-west-2:accountid:apiid/*"
]
}
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": "arn:aws:apigateway:us-west-2::/apis/apiid"
The error that i get while logging the request in api gateway is the following
{ "requestId":"fsdfd", "ip": "my_ip", "requestTime":"my_time", "httpMethod":"GET","routeKey":"GET /api-path", "status":"403","protocol":"HTTP/1.1", "responseLength":"23","responseerror":"Forbidden","error":" "Forbidden"","accountid":"-","properties":"-","responsetype":"ACCESS_DENIED","integration_error":"-"}
I am not getting a specific error to be able to debug.
The api gateway url works without iam authorizer. I have also used policy simulator to check if the role that is assumed through oidc has permissions to access the api gateway resource and it comes back as "allowed". so not sure where the 403 forbidden error comes.
Note: I call the api gateway from github action using sigv4 over the temporary credentials.
