When use AWS API gateway with lambda authorizer, you may get 403 Forbidden
error code with the error message User is not authorized to access this resource
.
The IAM policy is like below:
{
"principalId": "<yourprincipalid>", // The principal user identification associated with the token sent by the client.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/[{resource}/[{child-resources}]]"
}
]
},
}
</yourprincipalid>
One of the solution is to make the Resource
to be *
directly, but this might not be very safe, because we don’t want to allow every resource.
The better solution is to allow everything after the {apiId}
, like below:
{
"principalId": "<yourprincipalid>", // The principal user identification associated with the token sent by the client.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/*/*"
}
]
},
}
</yourprincipalid>
So you can just add a few line codes in your custom lambda authorizer function like below:
Construct a wildcard "Resource" variable
tmp = event["methodArn"].split(':')
apiGatewayArnTmp = tmp[5].split('/')
resource = tmp[0] + ":" + tmp[1] + ":" + tmp[2] + ":" + tmp[3] + ":" + tmp[4] + ":" + apiGatewayArnTmp[0] + '/*/*'
References:
Original: https://www.cnblogs.com/grandyang/p/16392058.html
Author: Grandyang
Title: [AWS] Solve Error: User is not authorized to access this resource
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/545359/
转载文章受原作者版权保护。转载请注明原作者出处!