{"id":53,"date":"2022-10-14T08:59:01","date_gmt":"2022-10-14T06:59:01","guid":{"rendered":"https:\/\/gerardvandenbosch.nl\/?p=53"},"modified":"2022-11-08T07:54:06","modified_gmt":"2022-11-08T06:54:06","slug":"sam-cli-restrict-api-gateway-access","status":"publish","type":"post","link":"https:\/\/gerardvandenbosch.nl\/?p=53","title":{"rendered":"SAM CLI restrict API Gateway access"},"content":{"rendered":"\n

When deploying a Serverless with SAM CLI, normally SAM CLI will create an API Gateway instance automatically.<\/p>\n\n\n\n

API Gateway has three modes PRIVATE<\/code> , REGIONAL<\/code> or EDGE<\/code>. In a PRIVATE<\/code> configuration the API gateway is restricted<\/strong> to a IAM resource<\/strong> or a VPC<\/strong>, this article handles a public API gateway<\/strong> which can be REGIONAL<\/code> or EDGE<\/code>.<\/p>\n\n\n\n

The goal is to restrict a public API Gateway access to a certain IP address.<\/p>\n\n\n\n\n\n\n\n

Normally this can be done manually through the Resource Policy tab under the API Gateway, the policy would look as following:<\/p>\n\n\n\n

{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": \"*\",\n            \"Action\": \"execute-api:Invoke\",\n            \"Resource\": \"arn:aws:execute-api:[REGION]:[ACCOUNT_ID]:[GATEWAY_ID]\/*\/*\/*\"\n        },\n        {\n            \"Effect\": \"Deny\",\n            \"Principal\": \"*\",\n            \"Action\": \"execute-api:Invoke\",\n            \"Resource\": \"arn:aws:execute-api:[REGION]:[ACCOUNT_ID]:[GATEWAY_ID]\/*\/*\/*\",\n            \"Condition\": {\n                \"NotIpAddress\": {\n                    \"aws:SourceIp\": \"[IP_ADDRESS]\"\n                }\n            }\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n
In the example the following items need to be replaced to make it work:<\/p>\n\n\n\n
  • [REGION] – replace this with desired AWS region.<\/li>
  • [ACCOUNT_ID] – replace this with your AWS account id.<\/li>
  • [GATEWAY_ID] – replace with the generated API Gateway id.<\/li>
  • [IP_ADDRESS] – replace with the IP address to restrict access.<\/li><\/ul>\n\n\n\n
    This works great however the downside is that it is a manual procedure, however it is possible in SAM CLI to automate this.<\/p>\n\n\n\n
    The first step is instead of letting SAM CLI generating the API Gateway to define it ourselves in template.yaml<\/code> as following and define the Resource Policy:<\/p>\n\n\n\n
    Resources:\n  TestApi:\n    Type: AWS::Serverless::Api\n    Properties:\n      StageName: Test\n      EndpointConfiguration: EDGE\n      Auth:\n        ResourcePolicy:\n          CustomStatements: [ \n            {\n              Effect: 'Allow',\n              Action: 'execute-api:Invoke', \n              Resource: ['execute-api:\/*\/*\/*'],\n              Principal: '*' \n            },\n            {\n              Effect: 'Deny',\n              Action: 'execute-api:Invoke', \n              Resource: ['execute-api:\/*\/*\/*'],\n              Principal: '*',\n              Condition: {\n                NotIpAddress: {\n                  aws:SourceIp: \"[IP_ADDRESS]\"\n                }\n              }\n            }\n         ]\n<\/code><\/pre>\n\n\n\n
    In this example replace [IP_ADDRESS] with the IP address to restrict access.<\/p>\n\n\n\n
    Because the API Gateway is self defined now, for all functions leveraging on API Gateway we need to define the API Gateway instance in the property of the event.<\/p>\n\n\n\n
    Events:\n  HelloWorld:\n    Type: Api \n    Properties:\n      RestApiId:\n        Ref: TestApi\n      Path: \/helloworld\n      Method: get<\/code><\/pre>\n\n\n\n
    Each function needs the ref<\/code> set to TestApi<\/code> to configure them with the self defined API Gateway.<\/p>\n\n\n\n
    After deploying the new structure the API Gateway will be created as defined including the defined Resource Policy.<\/p>\n","protected":false},"excerpt":{"rendered":"
    When deploying a Serverless with SAM CLI, normally SAM CLI will create an API Gateway instance automatically. API Gateway has three modes PRIVATE , REGIONAL or EDGE. In a PRIVATE configuration the API gateway is restricted to a IAM resource or a VPC, this article handles a public API gateway which can be REGIONAL or […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[7,15,6],"class_list":["post-53","post","type-post","status-publish","format-standard","hentry","category-aws","tag-aws","tag-samcli","tag-serverless","post-preview"],"_links":{"self":[{"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/posts\/53","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53"}],"version-history":[{"count":5,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":59,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions\/59"}],"wp:attachment":[{"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gerardvandenbosch.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}