Creating AWS API Gateway with PRIVATE endpointType requires ResourcePolicy

gomesp · July 3, 2020, 8:01am

I am trying to deploy an API Gateway for a serverless function with a private endpoint type. When I try to deploy the API I get the following message:

An error occurred: ApiGatewayDeployment… - Private REST API doesn’t have a resource policy attached to it (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: …).

I am using the documentation found in the serverless docs. It doesn’t mention anything about having to create a resource policy. The VPC endpoint itself has a very permissive policy.

Should the example below work? Do I need a resource policy as well or should the framework add it for me as it generates the CF stack?

VPC endpoint policy:

{
"Statement": [
    {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
    }
]
}

Serverless.yml file:

service:
    name: helloworld-api

provider:
    name: aws
    runtime: nodejs12.x
    region: ap-southeast-2
    stage: ${opt:stage, 'dev'}
    endpointType: PRIVATE
    vpcEndpointIds:
      - ${env:VPC_ENDPOINT_ID}  
    vpc:
      subnetIds: 
        - ${env:SUBNET_ID_1}
        - ${env:SUBNET_ID_2}

Miuler · September 24, 2020, 3:04pm

Hello gomesp, did you find a solution?

ivanbarlog · November 26, 2020, 7:02pm

It seems that serverless framework is setting an empty policy string if you won’t specify provider.resourcePolicy yourself.

This seems to be causing problems for the PRIVATE endpoint type.

As AWS suggests you should allow only traffic from your VPC for the PRIVATE endpoint type.

ivanbarlog · November 26, 2020, 7:03pm

Also I guess that gomesp may had it right but the Resource policy inside serverless.yml shouldn’t contain the Statement only the array itself like this:

You can see an example of how to add Resoruce policy to the serverless.yml here https://www.serverless.com/framework/docs/providers/aws/events/apigateway#resource-policy

provider:
  resourcePolicy:
   - Effect: Allow
     Action: '*'
     Resource: '*'
     Principal: '*'

Of course it is not advised to have such policies so I would stick with the AWS policy mentioned above.

Topic		Replies	Views
APi gateway resource policy do not appear in cloudformation Serverless Framework api-gateway	1	2285	July 30, 2020
Setting up API Gateway with Private Link Enabled (to access Serverless Lambda inside VPC) Serverless Framework	1	2861	July 29, 2019
How to create AWS API Gateway Resource Policy section by using serverless framework Serverless Framework	2	1873	October 25, 2018
API Gateway Resource Policy Serverless Framework	3	6931	June 14, 2018
New private API Gateway endpoints causing edge endpoints to not be accessible from VPC Serverless Framework aws	4	3984	July 30, 2019

Creating AWS API Gateway with PRIVATE endpointType requires ResourcePolicy

Related topics