[solved] New to AWS (and StackOverflow). I am trying to create a lambda service on AWS and have it accessed from outside via the API gateway with no authentication or restriction required.
To make things easy I set the gateway for now to be a Mock.
On the Get method of the API, the Authorization is set to None and the API Key is not required.
When I try this, I get {"message":"Forbidden"}
(same message if i connect it to the actual lambda service).
Any advice on how to make it accessible? Thanks
If you set 'API Key Required' option to true, please check below.
- you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.
- The API Key had to be created.
- In addition, you need to check a Usage Plan for the API Key on API Gateway Console.
On the API Gateway dashboard choose Resources, click Actions and choose Deploy API. Before your first deployment the only response you'll get is the {"message":"Forbidden"}.
If you use a custom domain name and forget to select destination staging, you'll get the Forbidden message.
Simply go to Custom Domain Names and click Edit under your domain, and then select the stage under Base Path Mappings.
I had a similar problem, and I had the following:
- A Custom Domain (Edge Optimized)
- Multiple Stages (dev, staging, prod)
I also didn't set any Authorization nor restrictions to make things simple.
I was able to fix the problem by adding Base Path Mappings for each of my stages (dev, staging, prod).
If you set 'API' key required to true, you need to pass the api key as header.
API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points
- Do you have a Usage Plan? if not need to create one.
- Link you API with Usage Plan. For that add a stage, it will link your API.
- Do you have API Key? if not you need to create an API Key and enable it.
- Add the Usage Plan which is linked with your API to this API Key. For that add Usage Plan.
You need to deploy your api on stage and use stage url go to Resources, click Actions and choose Deploy API
Now if you are getting error
{"message":"Forbidden"}.
Please check following steps
1 ) If you enable api key copy and pass your key in postman
2) Now you still getting same error means you will need to create usage plan
3) set limit and assign plan to your api
If Authorization and API KEY Required both are set to true for the method, then make sure you have the following Headers while sending the request:
- Content-Type (usually application/x-www-form-urlencoded if GET call)
- HOST
- X-Amz-Date
- Authorization
- x-api-key
I use POSTMAN for API testing which is quite reliable and then it's preety straight forward.
Note: Do not add x-api key header if you have set API KEY REQUIRED as FALSE.
And if you have set AUTHORIZATION as FALSE then do not add Authorization header.
I might be too late but one of the reasons API Gateway would give "forbidden" message is when you pass data in request Body on a GET operation. To solve the problem either make your resource POST or you do not pass data in request Body.
This may be far from obvious, but another reason of seeing "Forbidden" error when using AWS API Gateway may be calling incorrect URL that does not correspond to any deployed API method. It can occur if you're actually hitting wrong URL (e.g. instead of calling https://9999xx9x99.execute-api.us-east-1.amazonaws.com/dev/users (note dev stage before users) you called https://9999xx9x99.execute-api.us-east-1.amazonaws.com/users (no stage). You'd expect to get 404, but you'll get 403.
BTW: after you make a deployement to https://9999xx9x99.execute-api.us-east-1.amazonaws.com/dev/users calling https://9999xx9x99.execute-api.us-east-1.amazonaws.com/user (note singular noun form here) you'll get… 403 as well, but with "Missing Authentication Token" message!
I might have come across a solution to this problem. I had the same issue right now on MacOS. I tried to flush my DNS and then it worked!
Try this in the terminal:
Mac OS X Yosemite and later
sudo killall -HUP mDNSResponder
Mac OS X Yosemite v10.10 through v10.10.3
sudo discoveryutil mdnsflushcache
Mac OS X Mavericks, Mountain Lion and Lion
sudo killall -HUP mDNSResponder
Mac OS X Snow Leopard
sudo dscacheutil -flushcache
I got this error from an nginx fargate service trying to access a private API in API Gateway. I needed to add a policy under resource policies in my api like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:<AccountID>:<RestApiID>/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "<VPC Endpoint ID for execute-api>"
}
}
}
]
}
Local Firewall / antivirus or NGIPS (Cisco Bluecoat). The latter was my case, where I wouldn't even get logs in CloudWatch from my API. It was allowing my top level domain hosted website, but was blocking with 403 the api subdomain, with no body in the browser's network dev-tools tab.
There are a few things to do when we receive the {message: forbidden} in the API Gateway:
CORS enabled?
- Check if CORS is Enabled within the API ( to start with, allow the origin '*', to make sure we can test safely )
- Deploy the API to make sure all settings are as expected
API Key enabled?
- Check if we have the API Key enabled in the API Gateway
- Check if there is an API Key configured.
- Check if your API Key is assigned to the correct usageplan and add an API Stage, without the API Stage you will always receive an {message: forbidden}
If you are still facing issues, let me know so me or one of our cloud gurus @levarne can help.
We had faced this issue in our production when we used Kong as our api gateway. Our requests passed thro when initiated from Postman but failed with 403 when initiated via Code. The Bot plugin in Kong was enabled which only allowed requests initiated from Browser or Mobile App based on the user agent header value.Our requests initiated via Http Client failed. Once we disabled the bot plugin then the error didnt occur. It now allows request if the user-agent is Apache-HttpClient/4.5.2 (Java/1.8.0_91).
I got {"message":"Forbidden"} on an API with EndpointConfiguration set to PRIVATE, and a VpcEndpoint created for it in the Vpc's private subnets (this is an inter-service API)
The reason I got {"message":"Forbidden"} was that I was under the impression I should use one of the VpcEndpoint's urls. The URL to use is still the one associated with the stage (in ApiGateway console). It is:
https://${RestApiId}.execute-api.${Region}.amazonaws.com/${StageName}
来源:https://stackoverflow.com/questions/40988051/getting-message-forbidden-reply-from-aws-api-gateway