Lambda + API Gateway + Custom Domain Name = Missing Authentication Token

Question

Hello AWS fellows.  
  
I having some troubles setting up and AWS Lambda function with Custom Domain Name. I setup everything and the response I get back is "Missing Authentication Token".  
  
Here are the steps to reproduce  
  
**1. AWS Lambda - Hello World**  
1.1. I went to AWS Lambda in AWS Console  
1.2. I created a "Hello World" function called "exampleService".   
1.3. I added an API Gateway trigger "exampleService-API", which gave me an API endpoint similar to "https://xxx.execute-api.us-east-1.amazonaws.com/default/exampleService" .   
1.4. Accessing the API endpoint successfully returns "Hello from Lambda!".     
  
**2. API Gateway - Custom Domain Name**  
2.1. I went to AWS API Gateway using the AWS Console  
2.2. I added a new Custom Domain for the "exampleService-API" with something similar to:

```
protocol = HTTP
domain name = api.example.com
endpoint configuration = Edge Optmized
ACM certificate = *.example.com, the same I use in many other projects
Base Path Mappings = 
  /example -> exampleService-API:default
```

2.3. It returned me a Target Domain Name like xxx.cloudfront.net  
  
**3. Route 53**  
3.1. I went to AWS Route 53 using the AWS Console  
3.2. Added the following registry:

```
Name = api.example.com
Type = A - IPv4 address
Alias Target = xxx.cloudfront.net
Routing Policy = Simple
Evaluate Target Health = No
```

**4. Trying it**  
If I try to access api.example.com/example, it returns me:

```
{
  "message": "Missing Authentication Token"
}
```

**Conclusion**  
  
I am totally lost how to make it work.   
  
I found this similar issue: . However, that was fixed by adding the base path, but it doesn't work for me.  
  
I am quite sure the Custom Domain Name base path is correct. If I try to access any other path such as api.example.com/ or api.example.com/somethingelse, it returns "Forbidden" instead.  
  
Any ideas?  
  
Thanks!

Accepted Answer

>    
 >If I try to access api.example.com/example, it returns me:  
  
You need to access api.example.com/example/exampleService  
  
When you access api.example.com/example you are calling the GET on the root resource of your API, which is not currently configured with an integration, hence the 403 "Missing Authentication Token" result.  
  
If you want api.example.com/example to work, you would need to add the appropriate method to the root resource of your API.  
  
Regards,  
Bob

Answer

>Why do I need to use /example/exampleService if I already have it explictly declared in the Custom Domain Name?  
  
The non-custom domain URL for your lambda function is: https://xxx.execute-api.us-east-1.amazonaws.com/default/exampleService  
  
All your custom domain configuration is doing is mapping  https://xxx.execute-api.us-east-1.amazonaws.com/default/ to https://api.example.com/example/  
  
If you don't want to include the "example", you would need to have an empty basepath mapping. If you don't want to include the exampleService, you would need to update your API to have a method at the root resource of the API.  
 >Also, I was thinking about routing my functions as microservices with something like this: api.example.com/users/**, api.example.com/companies/**, etc. Each microservice as a different AWS Lambda function. Is that possible?  
  
Yes, this is very much possible. You can configure this with separate APIs (with the method at the root resource) with a basepath mapping for each, or a single API with the resources for each microservice (/users, /companies) and a single empty basepath mapping to this API.  
  
Regards,  
Bob

Answer

Now that works.  
  
But I don't understand. Why do I need to use /example/exampleService if I already have it explictly declared in the Custom Domain Name?   
  
Also, I was thinking about routing my functions as microservices with something like this: api.example.com/users/**, api.example.com/companies/**, etc. Each microservice as a different AWS Lambda function. Is that possible?

Lambda + API Gateway + Custom Domain Name = Missing Authentication Token

Relevant content