Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Failing to set up SSH tunnel to private AWS API gateway API

Tags:

amazon-web-services

aws-api-gateway

amazon-vpc

ssh-tunnel

I have a private AWS API Gateway REST API, meaning it's only accessible within my VPC. I have a bastion SSH instance running in the VPC, meaning I can do stuff like this:

ssh -J ec2-user@<bastion> ec2-user@<ip of EC2 instance within my VPC>

From that instance I can then curl my API using the https://<api-id>.execute-api.eu-west-1.amazonaws.com/dev/<my endpoint> URL.

Now, for local testing, I'd like to tunnel this instance to a local port, so I try

ssh -J ec2-user@<bastion> -L 8888:<api-id>.execute-api.eu-west-1.amazonaws.com:443 ec2-user@<ip of EC2 instance within my VPC>

This command returns fine, but when I try to do curl localhost:8888/dev/<my endpoint>, I first get a certificate error, which is natural, but when I try using curl -k localhost:8888/dev/<my endpoint> to ignore the certificate, I simply get a 403 Forbidden response from AWS. There's nothing in my access logs for the REST API at all for these requests.

Is the 403 related to the fact that I'm ignoring the TLS certificate, or something else? Is it possible at all to set up a tunnel like this? Unfortunately it doesn't seem possible to use plain HTTP for the API gateway REST API:s, otherwise I'd have preferred that for this type of thing.

like image 864
JHH Avatar asked Mar 03 '23 01:03

JHH

1 Answers

API Gateway requires the host header to match the API endpoint URL. Either add the hostname to your /etc/hosts

<api-id>.execute-api.eu-west-1.amazonaws.com 127.0.0.1

and call it normally curl https://<api-id>.execute-api.eu-west-1.amazonaws.com:8888/dev/<my endpoint>

or use curl's --resolve flag

curl \
  --resolve <api-id>.execute-api.eu-west-1.amazonaws.com:443:localhost:8888 \
  localhost:8888/dev/<my endpoint>

Alternatively, if your bastion is configured to allow it, you can use ssh as a SOCKS5 proxy and proxy your request through the bastion.

In one shell session start the proxy

ssh -D 8888 ec2-user@<bastion>

and then in another shell, use it

export HTTPS_PROXY=socks5://localhost:8888
curl https://<api-id>.execute-api.eu-west-1.amazonaws.com/dev/<my endpoint>
like image 68
Ngenator Avatar answered May 05 '23 11:05

Ngenator
Sign in to Comment

Related questions

Serverless framework is not deploying an API Gateway on AWS from configuration
How to Connect to RDS Instance from AWS Glue Python Shell?
How to remove new line characters from data rows in Presto/AWS Athena?
How do I return a json file from s3 to a specific url, but only that url
AWS CodeBuild error while build project => YAML_FILE_ERROR Message: Runtime version selection is not supported by this build image
AWS SQS: Which is the order of message in a FIFO queue after visibility-timeout expires?
AWS Lambda and IAM error on deploy: The role defined for the function cannot be assumed by Lambda
AWS GLUE import xls/xlsx file
What action does iam:PassRole api perform?
How to send email to multiple recipients through AWS SES
"Unexpected token u in JSON at position 0"
DynamoDB query function is not working while trying to access the data
How to use new secret created by key rotation from AWS Secrets Manager
Warned - no cfnRole set and unnecessary files was created after deploy
Simple way to integrate websockets to Django Rest Framework application?
AWS IAM: Credential report via CLI
Get source repo commit hash in AWS code build step
AWS StepFunction with Invoke Child Workflow state using cloud formation giving in
What is standard practice for storing private SSH keys for AWS Lambda
Github actions - pass secret variables to render ECS task definition action

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!