Reputation: 1409
Custom domain for API Gateway returning 403
I am creating an api using API Gateway and Lambda. Using the url designated in the API Gateway Stage editor everything works fine; however, when I try and move to a custom domain I am running into some issues.
The first thing I tried was using a CNAME record in Route 53 straight from my domain onto the domain that I got from the API Gateway. That was returning some errors and I think it is the incorrect solution is that correct?
Next I tried the Custom Domain Names feature in API Gateway. My understanding is this will roll up a CloudFront distribution that I can then map onto from Route 53. When I created the custom domain and added a Domain Mapping it provides me with a url to what I assume is a CloudFront distribution. The link is returning a 403 response and no distribution has been made in CloudFront. What is a good way of debugging this problem?
Upvotes: 48
Views: 35391
Answers (7)
Reputation: 167
note if you setting up private api with custom domain names:
Custom domain names are not supported for private APIs
however, there are work around, you can use application load balancer to forward requests to the API GW while supporting private DNS. so when the user navigates to your site:
example.com > route53 > ALB > AWS API GW > Lambda
in my case, I dropped the API GW and used ALB to a target group of my lambda directly. ALB do support private domains with no problems.
so in my case its just:
example.com > route53 > ALB > Lambda
Upvotes: 1
Reputation: 68790
I'll post another answer here, as our case was a bit more complex, and this may save quite a few hours to someone in the future (I do include myself in this "someone").
We're using Global Accelerator to be able to provide a static IP for some of our APIs. The trick here was that one of these APIs was still using an EDGE endpoint instead of a PRIVATE endpoint. This was causing the same {"message":"Forbidden"} issue, with the right domain mapping and without having anything in API Gateway Execution logs.
Upvotes: 0
Reputation: 7344
tldr; Make sure you're not still adding /path/ANDSTAGE but just /path because APIGW will map this for you.
Here is the developer guide if you haven't seen it. http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
All you need to do is set up a CNAME with your DNS provider pointing at the CF distribution that API Gateway gives you. You won't be able to make API calls directly to the CF distribution. API Gateway maps the API/stage from the Base Path mapping you set up in API Gateway so only API calls directed at the domain name will work correctly.
Upvotes: 36
Reputation: 81
In my case the problem was that I didn't create an API mapping in the custom domain name configuration for api-gateway.
Api gateway main menu -> custom domain names -> select your newly created custom domain name in the list -> click api mappings on the right -> create mapping between your deployed api and the custom domain name.
Upvotes: 8
Reputation: 60
In my case Legacy cache settings headers was the issue.
If you have selected Legacy cache settings in cloud-front behaviour In cloud-front distribution under behaviour-> Legacy cache settings-> Header drop down
After selecting value as None solved my problem
Upvotes: 1
Reputation: 341
You need to use host header in your request. Host should be your custom domain.
curl https://<cf-id>.cloudfront.net/myapi -H "Host: api.myapi.com"
Upvotes: 30
Related Questions
- AWS lambda api gateway error "Malformed Lambda proxy response"
- AWS API Gateway with custom domain and CORS
- AWS API Gateway with static IP
- AWS: How to configure Cloudfront for Custom Domain Names
- AWS Api gateway custom domain routing to wrong base url
- Api Gateway and Regional Custom Domain as CloudFront Origin
- S3 hosted website Cloudfront distribution and API Gateway custom domain pointing to the same subdomain