Multiple API origins in CloudFront


I have two origins, each with their own behavior in CloudFront

Origin A = API A Origin B = API B

Both API's have a GET resource of /hello that returns a message back

  • If I point the default behavior at Origin A and go to https://{cloudfrontdomain}/hello I get a successful response
  • If I point the default behavior at Origin B and go to https://{cloudfrontdomain}/hello I get a successful response

However I cannot get the second behavior (non default) to work at all. I have double checked and everything is setup in exactly the same way aside from the path pattern which I have set to /api/*

With the above setup I was expecting to go to https://{cloudfrontdomain}/api/hello and it to return a successful response, however I just receive

"message": "Missing Authentication Token"

Where am I going wrong??

1 Answer
Accepted Answer


the non default setup (api/*) isn't working because CloudFront forwards your request to /api/hello on your origin which doesn't exist.

What's happening is that CloudFront, natively, can prepend to the path for a given origin, but it does not currently have the capability of removing elements of the path (without Lambda@Edge, as noted below).

So, if your endpoint were at /api/hello at the origin, you could have the path pattern /api/* transformed before sending the request to the origin by setting the "origin path". However, the opposite isn't true. If the endpoint is at /hello at the origin, there is not a built-in way to serve those files from path pattern /api/hello.

In short, you can add (prefix) but not take away.

However, Lambda@Edge allows you to declare trigger hooks in the CloudFront flow and write small Javascript functions that inspect and can modify the incoming request, either before the CloudFront cache is checked (viewer request), or after the cache is checked (origin request). This option does not modify which Cache Behavior will actually service the request, because this is always based on the path as requested by the browser -- but you can then modify the path in-flight so that the actual requested object is at a path other than the one requested by the browser.

please upvote/accept this answer if you found it helpful

profile pictureAWS
answered 7 months ago
profile picture
reviewed 7 months ago
profile pictureAWS
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions