By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

API Gateway - Execution failed: Resource forbidden due to invalid API Key

0

API gateway is returning:

< HTTP/2 403 
< date: Sun, 07 Jul 2024 02:51:24 GMT
< content-type: application/json
< content-length: 24
< x-amzn-requestid:
< x-amzn-errortype: BadRequestException
< x-amz-apigw-id:=
< 
* Connection #0 to host example.execute-api.ap-southeast-2.amazonaws.com left intact
{"message": "Forbidden"}%

when api key required is configured for a method.

In CloudWatch logs a single entry that says "Execution failed: Resource forbidden due to invalid API Key"

Things that have been checked in the web console:

  • key added to a usage plan
  • usage plan assigned to stage
  • api key is correct
  • request is being sent with "X-Api-Key"
  • key is correct
  • stage is deployed
  • method is correct
  • no other authroizer enabled
Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
Michaela
asked 10 months ago1K views
3 Answers
1
Accepted Answer

The API Gateway console doesn't seem to correctly handle the REST apis. If you perform the following the CLI

aws apigateway get-api-keys shows

you'll see that the keys are missing configuration for stageKeys

"stageKeys": []

You can set this using the CLI

aws apigateway update-api-key --api-key {KEY_ID} --patch-operations op='add',path='/stages',value='{API_GATEWAY_ID}/{STAGE}'

The change will take up to 5 minutes to apply (usually shorter)

Michaela
answered 10 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 10 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 10 months ago
1

Make sure your API gateway account is migrated to use the UsagePlans feature.

In our case, the AWS console was unaware of it and just assumed it was enabled. But it wasn't.

To check your account supports usage plans, execute

> aws apigateway get-account

Check for features, it should include UsagePlans item.

If it's not there, execute

> aws apigateway update-account --patch-operations op='add',path='/features',value='UsagePlans'

This will also create default usage plans, and you may need some cleanup because duplicated usage plans are not allowed.

diopol
answered 8 months ago
  • movieglu
    6 months ago

    This solved the problem for me. I set up a new API Gateway in eu-west-1 for the first time (having previously had no problems in us-east-1 and us-east-2) - despite setting up everything in an identical manner, the UsagePlans item was missing in eu-west-1. Thank you for your comment!

0

AWS is such crap. There is always some BS thing like this that is completely obscured in the console and wastes hours of dev's lives.

Pursual
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content