Cloudfront Error "IncompleteSignatureException" when accessing API Gateway Origin/Behavior


I am struggeling to get my cloudfront/apigateway setup right. I have a cloudfront with two origins pointing to the same ApiGateway but of different routes. /* as default should be routed to /dev/react and /api/* should be routed to /dev/api/ on the Apigateway. /dev/react is a SSR Lambda rendering a react web page and /dev/api are my API Lambdas. The API Lambdas are protected by the Cognito Authorizer for which I am sending the Authorization header on every request.

Origins Behaviours

This works very well when I serve everything on the ApiGateway domain, no Auth errors or such, but when I try to serve/access it via the cloudfront domain I can load the react app, via the default behaviour, but when the react app calls the API endpoints I get a IncompleteSignatureException.

I tried forwarding the Host header and other things, but cannot get it to work.

I found this ApiGateway403Erros page where the expl. is A request with an "Authorization" header is sent to an API resource path that doesn't exist., but I can pin point what that means for my scenario?

Is my routing bad? Am i missing an alias domain on the ApiGateway? What makes cloudfront not "finding" the resources on this path?

Any hints would be very much appreciated.

1 Answer

AWS_IAM authentication could be the reason here for your error message if you've enabled it on the API Gateway. This requires your request be signed with AWS signature Version 4,

You may want to get the credentials via IAM/STS and use them to sign your request. Use a custom Lambda authorizer to validate the JWT directly at the API Gateway layer.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions