I have created a private REST API that can only be accessed from my virtual private cloud in Amazon VPC by using an interface VPC endpoint. When I use cURL command line to send request, I get a 403 Forbidden error which means that a client is forbidden from accessing a valid URL. The server understands the request, but it won’t fulfill the request due to client-side issues.

By checking the response header, I can see “x-amzn-ErrorType” = “ForbiddenException” and the error message is “Forbidden”. Then I reviewed the CloudWatch logs, I found the failed requests due to “API with endpointType PRIVATE has no resource policy defined”.

So the root cause is the resource policy did not take effect. As you may know, before your private API can be accessed, you need to create a resource policy and attach it to the API. This grants access to the API from your VPCs and VPC endpoints or from VPCs and VPC endpoints in other AWS accounts that you explicitly grant access. To do this, follow the instructions in Create and attach an API Gateway resource policy to an API.

Please note that the resource policy can be attached to the API when the API is being created, or it can be attached afterwards. For private APIs, note that until you attach the resource policy to the private API, all calls to the API will fail. In addition, if you update the resource policy after the API is created, you’ll need to deploy the API to propagate the changes after you’ve attached the updated policy. Updating or saving the policy alone won’t change the runtime behaviour of the API.