OCI API Gateway: 403 Forbidden scenarios While Trying to Access a Private API
I'm working with a `403 Forbidden` behavior while trying to access a private API hosted on Oracle Cloud Infrastructure (OCI) API Gateway. The API is configured to use a private subnet, and I've set up the necessary security list rules and defined the correct user policies. Here’s the configuration I have for the API Gateway: ```json { "compartmentId": "ocid1.compartment.oc1..example", "displayName": "MyPrivateAPI", "apiSpec": { "type": "swagger", "swagger": { "swagger": "2.0", "info": { "title": "My API", "version": "1.0" }, "paths": { "/endpoint": { "get": { "responses": { "200": { "description": "Successful response" } } } } } } }, "visibility": "PRIVATE" } ``` I believe I've set up the VCN correctly with a proper route table and security lists, allowing traffic to the API Gateway. I also created a policy that grants users in my IAM group access to invoke this API: ```bash Allow group MyAPIGroup to manage api-gateway-family in compartment MyCompartment ``` When I try to invoke the API via Postman or cURL, I receive the following behavior message: ``` HTTP/1.1 403 Forbidden { "code": "Forbidden", "message": "The request is not authorized." } ``` I’ve verified that I’m using the correct signing algorithm and the Auth headers are set up properly in my request. The endpoint should be reachable since I can ping the private IP of my API Gateway’s endpoint from a VM in the same subnet. I was also able to access the API when I temporarily changed its visibility to PUBLIC. Can anyone provide insights on what might be going wrong or what I might be missing in terms of IAM policies or network configuration? Any help would be greatly appreciated!