- Newest
- Most votes
- Most comments
Hello!
To begin with, for request with cache invalidations to be accepted by API Gateway, the request has to be Sigv4 signed and the client should also have the permissions to perform this operation as mentioned in this documentation.
If either of the two is missing, cache invalidations will not be successful if 'Require authorization' is enabled for Per-key cache invalidation in the API's stage settings. I have also tested this over a setup similar to the one you have.
It is also important to know the configurations of Per-key cache invalidation at both stage and method level, when you have method overrides.
Also the SDK reference shared is on 'FlushStageCacheCommand', which as the name says, is to flush stage level caching. Invalidations and flushing of cache are different operations and the 'FlushStageCacheCommand' will flush the entire stage level cache every time this API operation occurs. Whereas, invalidations are for specific cache entry only and they do not flush the entire cache, it just avoids serving the cached response for that particular request.
Addressing your queries :
-
It is possible for the Lambda function to place requests to the API requesting latest/new response by passing the
Cache-Control: max-age=0
header in a 'signed' request. I would like to emphasise again on the request signing part, without which API Gateway will not be able to recognize the request's authenticity. Programmatically achieving the same would involve making use of Sigv4 libraries in the Lambda function code for the function to get credentials based on its execution role (which has the necessary 'execute-api:InvalidateCache' permission) and place a signed request to the invoke URI of the API. You may find this example helpful in achieving the same. Please note that AWS does not endorse any third-party link(s) and is shared for your reference only. -
You do not need to turn off authorisation for invalidations to be successful for any of the HTTP methods. If 'Require authorization' is enabled for Per-key cache invalidation in the stage settings, API Gateway expects that the request from client has the following :
Cache-Control: max-age=0
header- Signed request with necessary credentials/tokens
- 'execute-api:InvalidateCache' permission for the identity whose credentials are used to sign the request.
Finally, the permissions that you have shared above seem invalid. I have also tested the operation at my end using the same policy and it was unsuccessful. Please note that the ARN format can contain wildcard (*) for the entries but they have to cover all the entries in the ARN. The working ARN you can specify as the value for 'Resource' would be arn:aws:execute-api:{region}:{account-id}:{api-id}/*/*/*
. I have also tested this at my end and was able to successfully invalidate the cache entry by placing a signed request satisfying all the conditions mentioned above in (2).
In case you have additional or follow-up queries, we may require details that are non-public information. Please open a support case with AWS using the following link.
Where can I find information about creating the "user" that the invalidate cache policy needs to be attached to?
This is the one step that is confusing me, and its not talked about anywhere. All the docs simply state "attach this policy to the user" with no explanation as to what this "user" is exactly.
We have a headless SPA, and we need to be able to invalidate the cache for certain paths as part of a build process, on an open API Gateway endpoint. As we cannot disable the authorisation option via Cloudformation, we need to be able to reliably invalidate the cache some other way.
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
Ahh thank you so much. So I just missed the signing request part, just wish that was noted as how to authorise as well as the permissions in the documentation. I had a suspicion it was something along those lines but due to time constraints I had to cap my research, but it's good to know there was a way to invalidate. Anyway, thanks again!