AWS Api Gateway + Lambda + custom domain (Route53) Missing Authentication Token issue

Question

I am aware that many similar questions have been posted and answered here but none of them is quite the same with what I am experiencing.

I have a Lambda function that handles incoming requests (GET and POST). I also set up an api gateway as public facing endpoint. Additionally, I set up custom domain following Set up Custom Domain Name for API Host Name

The testing call works in both of lambda and api gateway console. Everything also works using the invoke URL but not with the custom domain I've set up.

Here are some more details:

Invoke URL (Works) :

https://{api gateway id}.execute-api.us-west-2.amazonaws.com/prod/endpoint

Custom domain endpint (Doesn't work):

https://api.{my domain}.com/endpoint

Base Path Mapping:

/endpoint   endpoint:prod

All Method Auth:

Authorization None
API Key Not required

Route53:

A record as alias that points api.{my domain}.com to the cloudfront distribution domain name as alias target. 

I'd really appreciate if anyone knows what's going out here.

Answer 1

Step 1: Map the A record from subdomain.yourdomain.com to API Custom domain/API Gateway domain name(API Gateway -> Custom domain names -> tab Configuration/Endpoint Configuration).

Step 2: From API Gateway/ API Custom domain - add the api mapping. Leave "path" empty.

End point format:

Original endpoint: https://{api gateway id}.execute-api.us-west-2.amazonaws.com/prod/endpoint

Endpoint with API custom domain: https://api.yourdomain.com/**endpoint**

Answer 2

I had met the same question several years ago and solved it by removing the 'stage' name from the URL.

1. the URL of gateway API seems like the following:

https://{id}.execute-api.{region}.amazonaws.com/{stage}/todos

2. if you have routed a custom domain https://api.xxx.com to gateway API {apiName}:{stage}, it seems like the following:

https://api.xxx.com

path: /
target: {apiName}:{stage}

3. Finally, the correct way to call it is to remove the stage name:

// **remove stage name!!!!**

// Right
https://api.xxx.com/todos

// Wrong
https://api.xxx.com/{stage}/todos

Answer 3

Another reason for this can be that your user, although admin, does not have a bloody CloudFrontFullAccess permissions! I just spent a couple of hours on it as I relied on serverless to do it for me and it worked perfectly on another project with different credentials, though. So double check the article! https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

Answer 4

I found the issue is misunderstanding of how base path mapping works.

All my configurations are correct.

My API resource is not under / but under /endpoint

To use the custom domain, instead of visiting https://api.{my domain}.com/endpoint, it needs to go to https://api.{my domain}.com/endpoint/endpoint

Of course this is silly and redundant.

I have two options. I either set up the base path mapping to / instead of /endpoint or I can just user the API resource / instead of /endpoint.

I go with the latter because if base path mapping is set to /, my api.{my domain}.com will only be able to host just one API (I can still use resources under the same API, but why wasting the extra layer of abstraction?).

This seems dump but I am still glad I figured it out.