Default Response Headers: AWS API Gateway w/ Proxy Integration - amazon-web-services

We have an Angular SPA front end, which communicates through an AWS API Gateway to a .Net Web API hosted in a Lambda function. This configuration mandates that our API Gateway uses proxy intgeration with the Lambda.
Generally, this works well. We have enabled CORS in our API, and normal requests and responses flow as expected.
However, when something happens that breaks the API Gateway or .Net Lambda Wrapper, such as exceeding the Gateway's (non-configurable) 30-second timeout, or exceeding Lambda's max response size, the response message from the API Gateway does not contain a CORS header. As a result, regardless of the actual error, our front end registers a CORS error.
Is there some way to configure the API Gateway to always return a default CORS header?
Please note that this is happening outside of our code - there is nothing I can do inside of the C# lambda function, as this relates to errors happening above that level.

Yes, you can set it at AWS API Gateway Level
Login to AWS Console, Open API Gateway Service, Select your desired gateway.
On the left-hand side panel, select "Gateway Responses" (this will appear under your selected gateway)
now on the right-hand side, select "Default 5XX"
Add Default Headers for Cors like Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin
Save the changes and re-deploy the gateway.
Please refer this image to navigate to the desired section
Hope it helps.

Related

AWS API Gateway - lambda integration missing authorization header

My API includes various GET, POST and DELETE endpoints set up in AWS API Gateway. Each endpoint is integrated with Lambda and calls its own Lambda python function.
I have set up authorization manually (not through AWS authorizers): I call the endpoints with a bearer token in the "Authorization" header, and the Lambda functions access event["headers"]["Authorization"] to obtain the token. This works fine for POST and DELETE endpoints. However, when calling GET endpoints, the "Authorization" header is missing from the event["headers"] object (only other headers added by AWS are present).
I have tried calling the GET endpoints through various methods. Also worth mentioning that this is not a case sensitivity issue - the token I provide is not found anywhere in the events object.
All my endpoints are configured like this in API Gateway:
Method Request:
Integration Request:
Does API Gateway or Lambda remove the "Authorization" automatically for GET calls?
As you've mentioned that you use CloudFront in front of your API gateway, I believe I know what the problem is.
By default, CloudFront strips away params and headers from the request before forwarding it to origin. You need to modify your cache behaviour to forward the Authorization header to origin.
Go to your CloudFront distribution, and edit the behaviour for that distribution. Then, scroll down to 'Cache key and origin requests'.
You need to create a new cache policy that forwards the Authorization header, like so:

AWS API Gateway. Origin has been blocked by CORS Policy

Framework: Vue.js
Sending DELETE request(axios) to aws api gateway, that triggers a lambda function.
In API Gateway, I have created the DELETE method
screenshot
I have created/configured the OPTIONS method, where Gateway Responses DEFAULT 4XX AND DEFAULT 5XX are checked. Methods: DELETE and OPTIONS are checked, Access-Control-Allow-Headers: 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token' and Access-Control-Allow-Origin were manually set. i.e. a list of origins.
I confirm configuration was saved by taking a look at Gateway Responses
screenshot
Lambda Function created, responds with the following headers.
screenshot
Code on client side
screenshot
Executing program - Request Response does not include the Access-Control-Allow-Origins.
I've been stuck for a couple of days now, I don't know where else I should look into.
I have tried adding headers to request e.g. Access-Control-Allow-Origin: '*' ,and tried the list of specific origins that will ping the api.
set Access-Control-Allow-Origin in api gateway to '*'
uncheck Lambda Proxy Integration in Delete Method, Any Method in api gateway
lambda function response with 'Access-Control-Allow-Methods': 'list of methods'
use fetch

API Gateway Invoke Endpoint works fine; Cloudfront returns 403

I've set up an AWS API Gateway proxy endpoint to a lambda function and deployed it to a stage called auth. The Invoke URL found on the API Gateway dashboard works just fine and executes my lambda.
However, I've created a Cloudfront distribution that I want to map to API Gateway. I set the Origin to the API Gateway URL and configured a behavior to forward /auth/* to the API Gateway origin:
Origin Settings:
Behavior Settings:
However, this doesn't work. I get a 403 Forbidden message from Cloudfront:
This is extremely confusing for me because I have an almost identical set up on another AWS account that works just fine. Does anyone know what the problem might be?

Cloudfront returns 403 error when I call it but the using api gateway url which is attached to cloud front returns the right result

I have a problem with cloudfront.
Here is my scenario:
1) I have a beanstalk url pointing to my get service in java. So far so good and I can see the result by calling : beanstalk url/users/1
2) I added my beanstalk to api gateway as a http and again So far so good and I can see the result by calling : api gateway url/users/1
3) now I want to create a custom domain name for my api gateway so I followed the following :
how to set custom domain for api gateway
I followed that and now I have a cloudfront endpoint poitng to my apigateway deployed stage with a certificate. Please look at the image:
Now when I try this:
https://de90lotxxxxxx.cloudfront.net/users/1
I get :
Failed to load https://de90lotelw3hx.cloudfront.net/users/1: Response to
preflight request doesn't pass access control check: No 'Access-Control-
Allow-Origin' header is present on the requested resource. Origin
'https://s.codepen.io' is therefore not allowed access. The response had
HTTP status code 403.
Just to clarify I did check the api gateway deployed url and I did not get this error so this means that cors are enabled in apigateway. SO when I use cloudfront and certificate do I need to attach any header? any idea?
It sounds like you don't have the CORS headers enabled in api gateway.
Select the resource (/users/{id}), click the Actions button, and select Enable CORS from the drop down. The default settings (shown in the screen capture) is wildcard / all domains. Click the "Enable CORS.." button to confirm.
This will send the CORS headers in the response and allow the cross domain request to s.codepen.io from the web application.
Last, don't forget to deploy the stage after making changes.

AWS API Gateway Custom Domain + AWS CloudFront

I have an AWS API Gateway endpoint(Invoke URL),
I created a Custom Domain, to map the Domain with my API Gateway as the Invoke URL is made of non user friendly characters,
I mapped the Custom Domain with the API Gateway,
I followed these steps -
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
Both the Default Invoke URL and Custom Domain endpoint are responding correct data,
So far so good.
On further testing I found out that as my default Invoke URL had Caching enabled on it,
I enabled API Gateway cache by following this -
http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
The response was in miliseconds,
Weirdly the Custom Domian mapped endpoint is responding slower and looks like it is not Caching the previous responses, even though Caching is properly enabled on the API Gateway,
I need to Enable Caching on the Custom Domian as well,
Do I need to add CloudFront in front of the API Gateway or something?
How do I achieve this?
I am not able to find my Invoke URL in CloudFront origin,
I couldn't understand these solutions either -
1. http://www.davekonopka.com/2016/api-gateway-domain.html
2. How do you add CloudFront in front of API Gateway