Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CORS Policy Issue When Calling Lambda Function from React (Amplify + Cognito Setup)

0

I am working on a React + Vite project where I'm using AWS Amplify CLI and Amazon Cognito for authorization. I'm trying to implement AdminUserGlobalSignOut by invoking a Lambda function that I've deployed through Amplify.

The Lambda function is triggered via API Gateway. However, when I call this endpoint from my React frontend (running locally), I receive the following CORS error: Access to fetch at 'https://1yv101r4.execute-api.us-east-1.amazonaws.com/default/forceGlobalSignOut' from origin 'http://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Questions: Since this Lambda function is internal and part of the same Amplify project, is there a way to call it directly from the frontend without going through API Gateway, thereby bypassing CORS?

If not, what’s the correct way to configure CORS for a Lambda/API Gateway setup created through Amplify CLI so that it can be securely accessed from the React frontend running locally (e.g., http://localhost:5173)?

Would it be better practice to trigger the AdminUserGlobalSignOut operation from the backend (e.g., via a server-to-server request) instead of exposing this via API Gateway?

Context: Frontend: React + Vite

Auth: AWS Amplify + Cognito (Amplify CLI generated resources)

Backend: Lambda function created via Amplify to perform AdminUserGlobalSignOut

Topics
ServerlessFront-End Web & MobileComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon CognitoAWS AmplifyAWS Lambda
Language
English
asked 10 months ago167 views
1 Answer
0
Accepted Answer

The CORS error you're experiencing is a common issue when accessing API Gateway endpoints from a different origin, such as your local development environment. This happens because browsers enforce the Same-Origin Policy as a security measure, and your localhost development server is considered a different origin than your AWS API Gateway endpoint.

To resolve this issue, you have several options:

  1. Configure CORS in API Gateway:
  • In the API Gateway console, enable CORS for your endpoint
  • Set Access-Control-Allow-Origin to http://localhost:5173 (your React app's origin) or * for testing
  • Include all HTTP methods your API supports (GET, POST, PUT, DELETE, OPTIONS)
  • Add any custom headers your application uses
  • Ensure you have an OPTIONS method configured for your resource, as browsers send a preflight OPTIONS request before the actual request
  1. Add CORS headers in your Lambda function:
  • Your Lambda function should return the necessary CORS headers in its response:
return {
'statusCode': 200,
'headers': {
'Access-Control-Allow-Origin': 'http://localhost:5173',
'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,OPTIONS',
'Access-Control-Allow-Headers': 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'
},
'body': JSON.stringify(responseData)
};
  1. Using Amplify to call Lambda functions:
  • If you're using Amplify CLI to manage your resources, you can use the Amplify API category to call your Lambda function, which handles CORS and authentication automatically
  • Configure your Lambda function as an API in your Amplify project using amplify add api
  • Then use API.post() or similar methods from the Amplify library to call your function

Regarding your specific questions:

  • Calling Lambda directly: You cannot call Lambda directly from a browser-based application due to security concerns. API Gateway provides the necessary HTTP interface and security controls.

  • Configuring CORS with Amplify CLI: When you create an API with Amplify CLI, you can configure CORS during setup. You can also update it later using amplify update api and following the prompts to configure CORS settings.

  • Best practice for AdminUserGlobalSignOut: For sensitive operations like signing out users, it's generally better to expose this functionality through a secured API endpoint rather than calling AWS services directly from the frontend. Your current approach of using a Lambda function behind API Gateway with proper authentication is appropriate, but ensure:

  1. The endpoint is properly secured with Cognito authorizers
  2. CORS is configured correctly
  3. Proper error handling is implemented

After making these changes, remember to deploy your API in API Gateway to ensure the changes take effect.
Sources
CORS error while accessing an endpoint in API gateway | AWS re:Post
Blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status | AWS re:Post
CloudFront -> API Gateway works well, alternate domain name -> API Gateway gives CORS error | AWS re:Post

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content