I set up a custom authorizer in API Gateway to validate a JWT on the Authorization header. The authorizer is working fine for some GET resources, but for a specific POST call it rejects with a 403 Forbidden (AccessDeniedException):
{
"message": "User is not authorized to access this resource"
}
I turned on API Gateway logging and for both resources it claims it's calling the authorizer with ID vf0zk6. This is the API gateway log:
Extended Request Id: d0GmcE2HCYcFrVQ=
Starting authorizer: vf0zk6 for request: f23990ba-c1a4-4c71-9427-d28697735735
Incoming identity: ***************voGFIg
Extended Request Id: d0GmcE2HCYcFrVQ=
Using valid authorizer policy for principal: ************************f8069d
Successfully completed authorizer execution
The client is not authorized to perform this operation.
Gateway response type: ACCESS_DENIED with status code: 403
Gateway response body: {"message":"User is not authorized to access this resource"}
Gateway response headers: {Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Origin=*, Access-Control-Allow-Methods=OPTIONS,POST}
Gateway response type: ACCESS_DENIED with status code: 403
I also enabled CloudWatch logging for the custom authorizer lambda itself. I can see logs for the GET resource it succeeds at, but no logs show up for the failing POST resources. So it looks like it's failing it without ever calling the custom authorizer lambda. Both resources are called with the exact same Authorization header.
I was able to temporarily get it working by creating a new authorizer and pointing it to the same lambda function (with caching disabled). But the next day after I re-added caching on the new authorizer it was failing again without any call to the lambda function.
(EDIT) It doesn't have to do with GET vs POST; some POST resources are succeeding and others failing. The requests are identical, pointing to the same authorizer but some just get rejected before the custom authorizer lambda is invoked and others invoke the lambda and work fine.
Thanks, this pointed me in the right direction. This was a really helpful article: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-lambda-authorization-errors/
My authorizer was just passing the methodArn straight through when I needed to be returning a wildcard method ARN. It had been caching the result for all method calls when I assumed it had cache keys for each one.