
Let's say something like this is being returned.
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********1234:2885zecrwj/dev/POST/ with an explicit deny
I got this when attempting to submit a POST request to one of my API Gateways using cURL.
curl --request POST --url https://2885zecrwj.execute-api.us-east-1.amazonaws.com/dev
Notice the error message mentions with an explicit deny. My API Gateway had the following Resource Based Permission Policy the first had an Allow statement followed by a Deny statement. Thus, the error message was being returned because of the Deny statement. Notice in this example that the Deny statement includes a Condition where the Deny statement will be used if the request is NOT coming from Virtual Private Cloud (VPC) vpc-0a9d4cb29e2748444.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
],
"Condition" : {
"StringNotEquals": {
"aws:SourceVpc": "vpc-0a9d4cb29e2748444"
}
}
}
]
}
For this particular scenario, this came down to the fact that I wasn't passing in my Access Key and Secret Key in the request, thus I was unauthenticated which is why the response says "user anonymous is not authorized to perform". Once I provided my Access Key and Secret Key in the request, I no longer got this error.
curl \
--request POST \
--header 'Content-Type: application/json' \
--user <access key>:<secret key> \
--url https://2885zecrwj.execute-api.us-east-1.amazonaws.com/dev
Did you find this article helpful?
If so, consider buying me a coffee over at