Cloudfront Error "IncompleteSignatureException" when accessing API Gateway Origin/Behavior
I am struggeling to get my cloudfront/apigateway setup right. I have a cloudfront with two origins pointing to the same ApiGateway but of different routes. /* as default should be routed to /dev/react and /api/* should be routed to /dev/api/ on the Apigateway. /dev/react is a SSR Lambda rendering a react web page and /dev/api are my API Lambdas. The API Lambdas are protected by the Cognito Authorizer for which I am sending the Authorization header on every request.
This works very well when I serve everything on the ApiGateway domain, no Auth errors or such, but when I try to serve/access it via the cloudfront domain I can load the react app, via the default behaviour, but when the react app calls the API endpoints I get a IncompleteSignatureException.
I tried forwarding the Host header and other things, but cannot get it to work.
I found this ApiGateway403Erros page where the expl. is A request with an "Authorization" header is sent to an API resource path that doesn't exist., but I can pin point what that means for my scenario?
Is my routing bad? Am i missing an alias domain on the ApiGateway? What makes cloudfront not "finding" the resources on this path?
Any hints would be very much appreciated.
- Newest
- Most votes
- Most comments
AWS_IAM authentication could be the reason here for your error message if you've enabled it on the API Gateway. This requires your request be signed with AWS signature Version 4, https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
You may want to get the credentials via IAM/STS and use them to sign your request. Use a custom Lambda authorizer to validate the JWT directly at the API Gateway layer.
Relevant content
- asked 4 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
