I've got a lambda running in a VPC that is a connected to a Websocket API Gateway endpoint. It gets called just fine when the client connects and sends the websocket command, and is able to access resources (RDS) inside my VPC as well, however when I go to send a response via the AWS.ApiGatewayManagementApi postToConnection, I get a "Forbidden" error.
The Lambda's role has "execute-api:Invoke" permissions and the lambda itself is running a private subnet of the VPC with a NAT gateway and an interface endpoint linked to the "execute-api" service (before that was added calls to postToConnection would time out) so I'm stumped as to what permission I could still be missing.
Do I need to call a different endpoint than ".execute-api..amazonaws.com/"? This same codes works when run outside of the VPC.
The issue you face is due to connecting to a public API from a VPC which has a VPC endpoint configured. Refer to the following doc for troubleshooting steps: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/
The above doc mentions:
If you get this error when connecting to your API Gateway public APIs from an Amazon VPC, check to see if there's an interface VPC endpoint for API Gateway associated with that VPC, with private DNS enabled. When private DNS is enabled for an interface VPC endpoint associated with a VPC, all requests from the VPC to API Gateway APIs resolve to that VPC endpoint, and you can't connect to public APIs using a VPC endpoint.
For an easy fix, you can disable private DNS for the VPC endpoint and ensure that the Lambda function has internet access.