Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve "User is not authorized to perform on resource with an explicit deny"
Amazon Web Services (AWS) - Resolve "User is not authorized to perform on resource with an explicit deny"


Let's say something like this is being returned.

User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********1234:2885zecrwj/dev/POST/ with an explicit deny

 

I got this when attempting to submit a POST request to one of my API Gateways using cURL.

curl --request POST --url https://2885zecrwj.execute-api.us-east-1.amazonaws.com/dev

 

Notice the error message mentions with an explicit deny. My API Gateway had the following Resource Based Permission Policy the first had an Allow statement followed by a Deny statement. Thus, the error message was being returned because of the Deny statement. Notice in this example that the Deny statement includes a Condition where the Deny statement will be used if the request is NOT coming from Virtual Private Cloud (VPC) vpc-0a9d4cb29e2748444.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                   "aws:SourceVpc": "vpc-0a9d4cb29e2748444"
                }
            }
        }
    ]
}

 

For this particular scenario, this came down to the fact that I wasn't passing in my Access Key and Secret Key in the request, thus I was unauthenticated which is why the response says "user anonymous is not authorized to perform". Once I provided my Access Key and Secret Key in the request, I no longer got this error.

curl \
--request POST \
--header 'Content-Type: application/json' \
--user <access key>:<secret key> \
--url https://2885zecrwj.execute-api.us-east-1.amazonaws.com/dev

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter a1743d in the box below so that we can be sure you are a human.