I created a wildcard certificate *.example.com on ACM in my region.
Then I add subdomain.example.com to my custom domain names on API Gateway. The subdomain was configured correctly (it did not give me an error).
When I try to configure mappings of API I get the error Unable to complete operation due to concurrent modification. Please try again later.
I have tried it multiple times. What am I doing wrong here?
This issue is probably with API gateway UI console(AWS Management Console).
When I tried creating the mapping from the AWS CLI, it worked.
I used the aws apigateway create-base-path-mapping command.
Details on the API are at https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-base-path-mapping.html
Related
I want to add a custom domain to the API Gateway using serverless framework but without "serverless-domain-manager" or any other plugin. I am looking for a more native way, maybe extending a resource in "serverless.yml"
All articles suggest that plugin, but it isn't the best for multi environment pipelines
https://www.serverless.com/blog/serverless-api-gateway-domain/
Doing it manually is not that complicated, here is the full explanation
Add a custom domain to all envs
Issue a certificate for the domain in the same region of serverless project, in my case us-east-2
Go to API Gateway > Custom domain names > Create, use Regional endpoint type if using HTTP APIs
In the created domain there is API Gateway domain name, you'll need to point a CNAME record to it
Finally go to API mappings and create the mappings, in my case main and prod with stage $default
API Gateway with a custom domain is configured to use TLS 1.2, and it supports some weak cipher. These weak ciphers are removed in TLS 1.3 which is only supported in CloudFront distributions at the moment.
Some security tools like AppScan raised these issues for me during the security testing of these APIs.
You can check the details here.
https://security.stackexchange.com/questions/254667/are-weak-cipher-suites-for-tls1-2-a-valid-concern
If security is concerned, I would suggest using a cloud front distribution in front of the API gateway.
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudfront-distribution/
I had set up a custom domain for API Gateway. I have tried to update its BasePath and SecurityPolicy using sam and now it is stuck in the "Updating" state on the UI. Trying to delete it from AWS CLI also causes the following error.
An error occurred (BadRequestException) when calling the DeleteDomainName operation:
There is already an update in progress for the domain reminders.thestarware.com.
Please wait until the current update finishes before making another request.
Even deleting the whole API Gateway does not resolve it. Do you have any idea about how I can force delete it?
From my experience, when you utilize a custom domain in API Gateway, API Gateway saves the custom domain independently of your APIs so that you can delete an API without deleting your domain, or so that you can change the API that the domain points to if you need to.
Have you tried deleting your custom domain from API Gateway via the AWS Management Console / web browser interface?
Log in to the AWS console
Navigate to the API Gateway management page for your region. An example URL for the us-west-2 region is:
https://us-west-2.console.aws.amazon.com/apigateway
Click on "Custom domain names" as shown in the image below. Then you should be able to click on your domain and try to delete it using the "Delete" button shown in the image below. API Gateway Custom domain names management page
I'm trying to make sense of an undocumented project. I have an endpoint that looks like it's an AWS API gateway resource. Is there a way to find that resource via the identifier?
I have
https://XXXXXXXX.execute-api.us-east-2.amazonaws.com/production/dothis
I have looked in the console at API Gateways in Ohio(us-east-2) at Stages and none of them have a stage endpoint with an XXXXXXX that matches this endpoint's id.
The endpoint is functioning - so it is somewhere out there for sure.
Is there some other AWS resource type that would end up with an endpoint URL like that? Or is it more likely that I have the wrong AWS account/profile? Can I search on the CLI by the XXXXXX id?
We have been in a similar situation and we ended up raising a support ticket to find it. Please raise a support ticket with AWS. They will at least let you know whether the endpoint url is mapped to one of your AWS accounts.
I have an AWS API Gateway API with CORS enabled and a custom domain set-up. Direct API access via the execute-api endpoints is working and I get no CORS issues in the browser. Access via the custom domain api.example.com which I also configured, is working in principle, but not in the browser, where I get CORS:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
When setting up the custom domain, API Gateway configures its own CloudFront distribution which is somewhat internal and I do not see how to configure it or if this is even possible, it does not show up in my list of CloudFront distributions, which is expected. From the AWS docs:
The CloudFront distribution created by API Gateway is owned by a
region-specific account affiliated with API Gateway
I found these answers https://stackoverflow.com/a/52435619/4556546 and https://stackoverflow.com/a/51463965/4556546 that describe how to solve the problem with a normal CloudFront distribution. I am, however wondering:
Have I missed something in configuring the custom domain and its
associated CloudFront distribution?
In what circumstances would I choose the custom domain with its internal CloudFront distribution over running my own CloudFront distribution
that I can configure? (I already have a CloudFront distribution that I use for other parts of my app.) Are there pricing implications?
Your suggestion to remove the stage or "/dev" from my new custom domain worked like a charm.
api.example.com/dev/some_endpoint Incorrect
api.example.com/some_endpoint Correct
Hopefully this answer can help anyone else trying to add a custom domaim to AWS API Gateway.
simply removing /dev from the end of my custom domain in my amplify config nailed it! I want to hide under the sheets everytime I see that cors error, in this case I came out on top, thanks!
I am fairly new to AWS Lambda but sure can see the benefits of it and stumbled upon the superb framework Serverless to help me built solutions on Lambda.
I started out building solutions using AWS API Gateway but really need "internal" VPC API's and not public Internet facing API's like API GW creates.
I found that Servless indeed can expose a HTTP endpoint but I can't figure out how this is done and how the URL is created.
When I deploy the Lambda from Serverless it gives me the URL, e.g.:
https://uxezd6ry8z.execute-api.eu-west-1.amazonaws.com/dev/ping
I would like to be able to find (or create) this same http listener for already existing Lambdas so my question is how is the URL created and where is teh actual HTTP listener deployed?
You might be looking for the invoke url,
1. go to https://console.aws.amazon.com/apigateway
2. select api link (which you have deployed on aws lambda).
3. select stages in left side panel and
see the invoke url.
Adding a http listener can be done by going to your lambda function, selecting the 'triggers' tab and 'add trigger', finally selecting API Gateway - but as others mentioned this does create a public facing url.
Duh, I was in the wrong AWS logon previously so the API GW was not showing any matching Serverless API and that was why I couldn't understand how they did it...
Once I logged into the AWS account that hosts the Serverless structure I can see the API GW GET API's for the Serverless HTTP listener.