By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway claims it's invoking a custom authorizer but rejects before calling

0

I set up a custom authorizer in API Gateway to validate a JWT on the Authorization header. The authorizer is working fine for some GET resources, but for a specific POST call it rejects with a 403 Forbidden (AccessDeniedException):

{
    "message": "User is not authorized to access this resource"
}

I turned on API Gateway logging and for both resources it claims it's calling the authorizer with ID vf0zk6. This is the API gateway log:

Extended Request Id: d0GmcE2HCYcFrVQ=
Starting authorizer: vf0zk6 for request: f23990ba-c1a4-4c71-9427-d28697735735
Incoming identity: ***************voGFIg
Extended Request Id: d0GmcE2HCYcFrVQ=
Using valid authorizer policy for principal: ************************f8069d
Successfully completed authorizer execution
The client is not authorized to perform this operation.
Gateway response type: ACCESS_DENIED with status code: 403
Gateway response body: {"message":"User is not authorized to access this resource"}
Gateway response headers: {Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Origin=*, Access-Control-Allow-Methods=OPTIONS,POST}
Gateway response type: ACCESS_DENIED with status code: 403

I also enabled CloudWatch logging for the custom authorizer lambda itself. I can see logs for the GET resource it succeeds at, but no logs show up for the failing POST resources. So it looks like it's failing it without ever calling the custom authorizer lambda. Both resources are called with the exact same Authorization header.

I was able to temporarily get it working by creating a new authorizer and pointing it to the same lambda function (with caching disabled). But the next day after I re-added caching on the new authorizer it was failing again without any call to the lambda function.

(EDIT) It doesn't have to do with GET vs POST; some POST resources are succeeding and others failing. The requests are identical, pointing to the same authorizer but some just get rejected before the custom authorizer lambda is invoked and others invoke the lambda and work fine.

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content Delivery
Tags
AWS LambdaAmazon API Gateway
Language
English
RandomEngy
asked a year ago1103 views
1 Answer
1
Accepted Answer

I was able to temporarily get it working by creating a new authorizer and pointing it to the same lambda function (with caching disabled). But the next day after I re-added caching on the new authorizer it was failing again without any call to the lambda function.

The above suggests that authorizer caching is causing the issue. If you are able to make a GET request and subsequent GET requests succeed but subsequent POST requests fails then the policy returned by the authorizer is limiting the scope to GET method only.

I recommend following the below article to troubleshoot the issue. See the section called Resolve "not authorized to access this resource" errors from the Lambda authorizer.

AWS
Taka_M
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content