I'm trying to allow only specific IP addresses to access my API Gateway REST API without success.
I configured the following resource policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:my-account-id:rest-api-id/*/*/*",
"Condition": {
"IpAddress": {
"aws.SourceIp": "MY.IP.MY.IP/32"
}
}
}
]
}
But when I send a request using Postman I receive 403 forbidden.
If I set "aws.SourceIp": "0.0.0.0/0" I receive 403 as well.
If I remove the condition from the policy then it works (I don't receive 403), so I guess something is wrong with IpAdress condition.
I have a C# lambda function integrated with the REST API where I log the SourceIp
to CloudWatch using the following code:
context.Logger.LogInformation($"SourceIp: {request.RequestContext.Identity.SourceIp}");
It logs the following:
2022-07-01T06:38:32.634Z 0dc80274-bbbb-494c-ba73-541f053ba5a2 info SourceIp: MY.IP.MY.IP
What am I missing? How to properly write the policy?
CodePudding user response:
I changed "aws.SourceIp"
to "aws:SourceIp"
and problem solved. Sorry for the typo.