小贝子编程

User: anonymous未被授权执行:execute-api:Invoke on resource



我正在尝试遵循" API网关资源策略";浏览此文档:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-authorization-flow.html#apigateway-authorization-flow-resource-policy-only

当尝试使用授权签名访问受保护的路由时,我得到的响应读起来好像API网关认为请求是由匿名用户而不是凭据用户发出的。

我有一个公共API网关部署,具有以下资源策略。

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*/api/GET/server"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:user/api-auth"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*/api/POST/server"
}
]
}

不期望是当我尝试使用api-auth用户的访问/秘密密钥使用aws4_request认证签名访问POST路由时,我得到:

User: anonymous未被授权执行:execute-api:Invoke on resource:

>>> import boto3
>>> import requests
>>> from requests_aws4auth import AWS4Auth
>>> 
>>> auth = AWS4Auth("<access-key>", "<secret-key>", "us-east-1", "execute-api")
>>> response = requests.request("POST", "https://<endpoint>.execute-api.us-east-1.amazonaws.com/api/server", auth=auth, data='', headers={})
>>> print(response.text)
{"Message":"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:<account-id>:<endpoint>/api/POST/server"}

用户有以下策略

{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*"
}

从我在故障排除文档中可以看出,我应该正确配置:https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/

编辑1

我的示例使用requests_aws4auth,它应该创建正确的头。作为另一个例子,下面从Postman生成的代码会导致同样的问题:

curl --location --request POST '<endpoint>.execute-api.us-east-1.amazonaws.com/api/server' 
--header 'X-Amz-Content-Sha256: <data>' 
--header 'X-Amz-Date: <date-data>' 
--header 'Authorization: AWS4-HMAC-SHA256 Credential=<access-key>/<date>/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<signature>' 
--header 'Content-Type: application/json' 
--data-raw '<request>"}'

For what it is worth…

  1. 访问GET路由不访问Authorization正常。

  2. 当尝试访问没有Authorization签名的POST路由时,我收到相同的User: anonymous消息。

对于允许访问特定方法的资源策略,您需要设置&;authorization&;"方法执行"下的设置;";AWS_IAM"

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium