Reputation: 490
AWS Api-Gateway CORS issue on status 400
This is driving me totally crazy
Im trying to call a api-gateway rest service from an angular app that i have restricted from API-GATEWAY with IAM access. So i need to call with IAM authentication. Im using temporary IAM credentials that i have already obtained
My call to the service fails saying there is no Access-Control-Allow-Origin header. When i try and call my service from postman i dont see the required header on the response. On my postman call I get a 403 status back since my authentication actually failed, but i still expected the header. If i remove the IAM authentication on the method it works, i get back the response string and the header im looking for.
What am i missing here? Surely even if my authentication failed i must still get back that header so that i can actually see the message that says your authentication failed.
Any help will be much appreciated
Thanks
Upvotes: 1
Views: 1464
Answers (3)
Reputation: 3993
Did you allow your Cognito role to access to the API endpoints?
You have to use a policy similar to this one for the Cognito role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:invoke"
],
"Resource": [
"arn:aws:execute-api:<API_REGION>:<ACCOUNT_ID>:<API_ID>/*"
]
}
}
}
If you use IAM authentication for your endpoint and if you do not allow the Cognito role to access to your API, API Gateway will generate a 403 response. This response is not defined by your API definition because the request is refused by API Gateway before it could get to the point of been processed by your API. That is why your CORS configuration will not apply.
Upvotes: 1
Reputation: 490
From this link on the AWS forum it appears that there is an open issue related to exactly what im experiencing here... Not sure if what im looking for is currently possible
Upvotes: 1
Reputation: 4152
Please ensure you do not have AWS_IAM authentication enabled on your OPTIONS method, otherwise the browser will not be able to make the pre-flight request and your request will fail. You should still have AWS_IAM enabled on your other methods.
Upvotes: 0
Related Questions
- getting message: forbidden reply from AWS API gateway
- How does the 'Access-Control-Allow-Origin' header work?
- Trying to use fetch and pass in mode: no-cors
- AWS lambda api gateway error "Malformed Lambda proxy response"
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- API Gateway CORS: no 'Access-Control-Allow-Origin' header
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- AWS API Gateway - CORS + POST not working
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway