AWS IAM用户凭证始终以匿名身份进行身份验证

huangapple go评论66阅读模式
英文:

AWS IAM user credential always authenticated as anonymous

问题

我正在创建一个简单的API网关,并尝试应用其身份验证。我创建了一个IAM用户(名为postman-user),并创建了它的凭证(作为AccessKeyId和SecretAccessKey)。

我的IAM用户策略如下所示:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "execute-api:*",
            "Resource": "*"
        }
    ]
}

在我的API网关中,我应用了以下资源策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<my account id>:root",
                    "arn:aws:iam::<my account id>:user/postman-user"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
        }
    ]
}

我在Postman中应用了AccessKeyId和SecretAccessKey:
查看图像描述

然后问题出现了。无论我如何使用此IAM用户的AWS凭证调用API端点,我始终收到以下错误:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

我以为是Postman未能签署此AWS SigV4,然后我在Python中尝试了这个:

url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'

auth = AWSRequestsAuth(aws_access_key='<my key id>',
                        aws_secret_access_key='<my secret key>',
                        aws_host='ec2.amazonaws.com',
                        aws_region='us-west-2',
                        aws_service='api')

response = requests.get(url, auth=auth)

这个错误对我来说一直存在:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

有人能告诉我我错过了什么吗?我在资源中点击了100次部署API到beta阶段...

尝试了Python,尝试了Postman,什么都不起作用。

英文:

I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).

My IAM User policy is like this:

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Sid&quot;: &quot;VisualEditor0&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: &quot;execute-api:*&quot;,
            &quot;Resource&quot;: &quot;*&quot;
        }
    ]
}

and in my api gateway I applied the resource policy as below:

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Principal&quot;: {
                &quot;AWS&quot;: [
                    &quot;arn:aws:iam::&lt;my account id&gt;:root&quot;,
                    &quot;arn:aws:iam::&lt;my account id&gt;:user/postman-user&quot;
                ]
            },
            &quot;Action&quot;: &quot;execute-api:Invoke&quot;,
            &quot;Resource&quot;: &quot;arn:aws:execute-api:us-west-2:&lt;my account id&gt;:&lt;my api g id&gt;/*&quot;
        }
    ]
}

I applied the key id and secret key id in postman:
enter image description here

then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

I thought it was postman failed to sign this AWS sigV4, then I tried this in python:

url = &#39;https://&lt;apig id&gt;.execute-api.us-west-2.amazonaws.com/beta/query/&#39;

auth = AWSRequestsAuth( aws_access_key=&#39;&lt;my key id&gt;&#39;,
                        aws_secret_access_key=&#39;&lt;my  secret key&gt;&#39;,
                        aws_host=&#39;ec2.amazonaws.com&#39;,
                        aws_region=&#39;us-west-2&#39;,
                        aws_service=&#39;api&#39;)

response = requests.get(url, auth=auth)

This error is just forever for me


User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******

Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times ...

tried python, tried postman, nothing works

答案1

得分: 1

这是一个API网关配置问题:

Resources -> 单击方法 -> 方法请求 -> 授权:曾经是"None",更改为"AWS IAM" 才使其工作。

英文:

This is an API Gateway config issue:

Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.

答案2

得分: 0

看起来在 API 平面上似乎有一些东西丢失。可能是您尚未正确配置所尝试使用的 HTTP 方法上的 IAM 鉴权。也可能是资源策略未附加到 API 网关。请注意,如果策略已更新并重新附加,您需要重新部署 API 网关。

链接:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html

英文:

it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.

Link:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html

huangapple
  • 本文由 发表于 2023年2月18日 16:24:39
  • 转载请务必保留本文链接:https://go.coder-hub.com/75492090.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定