Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Posting multipart/form-data via API HTTP Gateway returns HTTP 403 Forbidden error

0

I have a problem with multipart/form-data encoded POST requests in API HTTP Gateway using IAM authorization. The error received from the API Gateway is HTTP 403 Forbidden despite using admin credentials.

The API Gateway HTTP API is set up with as a proxy with VPC link.

I observe:

  • Other routes I have with different request types and request encoding do reach the backend services, which suggests this isn't a general authorization issue
  • The same POST request but using a different encoding is being passed through
  • My backend API endpoint works with multipart/form-data encoded POST requests without the API HTTP Gateway

My API HTTP Gateway is routing requests to an application load balancer. I can see that the requests never reaches the load balancer (which the HTTP 403 error already indicates).

The access logs in the API Gateway looks like this

{
    "authError": "Forbidden",
    "error": "Forbidden",
    "httpMethod": "POST",
    "integrationError": "-",
    "protocol": "HTTP/1.1",
    "routeKey": "POST /{proxy+}",
    "status": "403"
}

I have studied this troubleshooting guide but not been able to solve it https://repost.aws/knowledge-center/api-gateway-troubleshoot-403-forbidden.

I cannot find any documentation saying that it shouldn't be possible to post multipart/form-data via API HTTP Gateway so I believe I've got something wrong in my configuration.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
asked a year ago897 views
1 Answer
0

The issue you're experiencing with multipart/form-data encoded POST requests returning a 403 Forbidden error in API Gateway HTTP API is likely related to the way API Gateway handles this specific content type.

While API Gateway generally supports various content types, including multipart/form-data, there are some considerations and potential limitations when using this format, especially with IAM authorization:

  1. Content-Type header: Ensure that your request includes the correct Content-Type header (multipart/form-data) and that it's properly formatted.

  2. IAM policy: Check your IAM policy to make sure it explicitly allows the multipart/form-data content type. You may need to add a condition to your policy that includes this specific content type.

  3. API Gateway configuration: Verify that your API Gateway is configured to accept and pass through multipart/form-data requests. This may involve adjusting the binary media types settings in your API configuration.

  4. Request body parsing: API Gateway might be having issues parsing the multipart/form-data request body. You could try adjusting the request body parsing options in your API Gateway settings.

  5. VPC Link configuration: Since you're using a VPC link, ensure that the network path between API Gateway and your VPC resources is correctly set up and that there are no security group or network ACL rules blocking the traffic.

  6. Payload size: Check if the payload size exceeds API Gateway limits. There are size restrictions for requests, which could potentially trigger a 403 error if exceeded.

  7. CORS settings: If this is a cross-origin request, ensure your CORS settings in API Gateway are correctly configured to allow the multipart/form-data content type.

To troubleshoot further:

  1. Try using a simpler content type (like application/json) to isolate whether the issue is specific to multipart/form-data.
  2. Check CloudWatch Logs for more detailed error messages that might not be visible in the access logs.
  3. Consider using API Gateway REST API instead of HTTP API, as it might offer more flexibility in handling complex content types.

If the issue persists after checking these points, you may need to contact AWS support for more specific guidance on your API Gateway configuration.
Sources
Cors policy with cloudfront + Api Gateway (VPC Links) | AWS re:Post
Requests to API Gateway fail with CORS error if I add headers. | AWS re:Post
CORS Access-Control-Allow-Origin Header missing - Api Gateway HTTP / EC2 | AWS re:Post

answered a year ago
  • Ylva
    a year ago

    Thanks, this is somewhat useful but could I get some clarification on the points below please: 3. Verify API Gateway configuration: how does one adjust the binary media types settings in an API Gateway HTTP API? 4. I use the passthrough setting so does the API Gateway do any request parsing? Can you point me to the documentation about request body parsing for API Gateway HTTP APIs?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content