CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaimage-uploadingaws-api-gatewayrate-limiting
barbasa
barbasa

Reputation: 675

AWS API Gateway forbids consecutive requests

I'm using AWS API Gateway and Lambda to upload images to an S3 bucket. I have setup API Gateway to use a custom authoriser.

I'm currently passing the base64 encoded image in the JSON payload (not ideal but for the moment it is fine for what I need).

This is how I call my API (note you need jq and httpie installed to issue this call):

base64 <my_image> | jq -R '{image: .}' | http https://<api_gw_url>/dev/upload 'Authorization:Bearer <my_auth_token>'

If I issue more than once the same request, API Gateway returns a 200 the first time (and the document is correctly uploaded), but for any subsequent request (with the same auth token to the same URI) a 403 Forbidden is returned with the following error in the body:

{
"Message": "User is not authorized to access this resource"
}

After about 5min the request is accepted again :/

I didn't find any mention of default rate limiting in the documentation.

I have also tried to add a Usage Plan, with an API Key associated, to be able to tweak the rate limiting, but it didn't make any difference.

Did anybody else experienced this?

Edit

Just wanted to add some more info about my architecture to make sure the issue is better explained.

My setup includes an API Gateway, a Lambda that takes care of the authorization with JWT and another Lambda that does the upload to S3. What happens is the following:

First call

>base64 <my_image> | jq -R '{image: .}' | http https://<api_gw_url>/dev/upload 'Authorization:Bearer <my_auth_token>'

Request hits:

Response code: 200

Second call (issued less than 5 min after the first one)

>base64 <my_image> | jq -R '{image: .}' | http https://<api_gw_url>/dev/upload 'Authorization:Bearer <my_auth_token>'

Request hits:

Request does NOT hit:

Response code: 403

Upvotes: 2

Views: 961

Answers (1)

barbasa
barbasa

Reputation: 675

It turns out it was a mix of a bug in my code and a misunderstanding on how API Gateway works.

The issue I was having was the following:

  • 1st call: PUT /entity/UUID1 with JWT_Token_1
    • Policy to access UUID1 cached for JWT_Token_1
  • 2nd call: PUT /entity/UUID2 with JWT_Token_1
    • Retrieve cached policy for JWT_Token_1, BUT tries to call resource with UUID2 then "User is not authorized to access this resource"

I was basically reusing the same JWT Token to access different resources. In my use case this shouldn't be allowed.

Upvotes: 2

Related Questions