Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

API Gateway - Execution failed: Resource forbidden due to invalid API Key

1

API gateway is returning:

< HTTP/2 403 
< date: Sun, 07 Jul 2024 02:51:24 GMT
< content-type: application/json
< content-length: 24
< x-amzn-requestid:
< x-amzn-errortype: BadRequestException
< x-amz-apigw-id:=
< 
* Connection #0 to host example.execute-api.ap-southeast-2.amazonaws.com left intact
{"message": "Forbidden"}%

when api key required is configured for a method.

In CloudWatch logs a single entry that says "Execution failed: Resource forbidden due to invalid API Key"

Things that have been checked in the web console:

  • key added to a usage plan
  • usage plan assigned to stage
  • api key is correct
  • request is being sent with "X-Api-Key"
  • key is correct
  • stage is deployed
  • method is correct
  • no other authroizer enabled
Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
asked 2 years ago1.7K views
3 Answers
3

Make sure your API gateway account is migrated to use the UsagePlans feature.

In our case, the AWS console was unaware of it and just assumed it was enabled. But it wasn't.

To check your account supports usage plans, execute

> aws apigateway get-account

Check for features, it should include UsagePlans item.

If it's not there, execute

> aws apigateway update-account --patch-operations op='add',path='/features',value='UsagePlans'

This will also create default usage plans, and you may need some cleanup because duplicated usage plans are not allowed.

answered 2 years ago
  • movieglu
    a year ago

    This solved the problem for me. I set up a new API Gateway in eu-west-1 for the first time (having previously had no problems in us-east-1 and us-east-2) - despite setting up everything in an identical manner, the UsagePlans item was missing in eu-west-1. Thank you for your comment!

  • PaulC
    8 months ago

    Life save. After several hours hair-tearing I found this. I had to delete my existing usage plan, and API key and then recreate them before it kicked in. Thank you

1
Accepted Answer

The API Gateway console doesn't seem to correctly handle the REST apis. If you perform the following the CLI

aws apigateway get-api-keys shows

you'll see that the keys are missing configuration for stageKeys

"stageKeys": []

You can set this using the CLI

aws apigateway update-api-key --api-key {KEY_ID} --patch-operations op='add',path='/stages',value='{API_GATEWAY_ID}/{STAGE}'

The change will take up to 5 minutes to apply (usually shorter)

answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
0

AWS is such crap. There is always some BS thing like this that is completely obscured in the console and wastes hours of dev's lives.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content