API 网关 - 策略文档无效，请检查策略语法

Question

通过 AWS 控制台构建 API 网关资源策略。我在 VPC 中有 API 网关。

Error Invalid policy document. Please check the policy syntax and ensure that Principals are valid.

这是资源策略：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:*:*:*/*"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-api:*:*:*/*"
      ],
      "Condition" : {
        "StringNotEquals": {
          "aws:SourceVpc": "vpc-0c11234510819ewqe"
        },
        "StringNotEquals": {
          "aws:SourceVpce": "vpc-er345453yrt4543t"
        }
      }
    }
  ]
}

Answer 1

在condition语句中，如果要表示多个VPC，则需要声明为列表：

"Condition" : {
    "StringNotEquals": {
      "aws:SourceVpc": [
        "vpc-0c11234510819ewqe",
        "vpc-er345453yrt4543t"
        ]
    }
  }

此外，在 Resource 字段中，删除 arn:aws:

最后，资源策略如下所示：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "execute-api:*:*:*/*"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "execute-api:*:*:*/*"
      ],
      "Condition" : {
        "StringNotEquals": {
          "aws:SourceVpc": ["vpc-0c11234510819ewqe","vpc-er345453yrt4543t"]
        }
      }
    }
  ]
}

参考：

API Gateway resource policy examples

API 网关 - 策略文档无效，请检查策略语法

API Gateway - invalid policy document, check policy syntax

json

amazon-web-services

security

syntax-error

aws-api-gateway