By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway Cache Invalidation not working

2

I'm trying to invalidate API Gateway cache as described in the documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

I've tried to invalidate the cache by making a http request using Lambda and through Postman but neither worked, the result is always the same: I get a warning in the response headers saying "199 Cache-control headers were ignored because the caller was unauthorized."

My API Gateway policy currently looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "execute-api:Invoke",
                "execute-api:InvalidateCache"
            ],
            "Resource": "arn:aws:execute-api:{region}:{accountId}:{apiId}/*"
        }
    ]
}

I've also applied the permission execute-api:InvalidateCache to the lambda who calls the API Gateway.

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
AWSUser22001
asked 2 years ago1884 views
4 Answers
1

Good question.

Is this for a GET method? And are you authorized properly - does the IAM role you are using or the lambda role have the proper permissions to Invalidate Cache?

If not - I would check the settings for if API Cache is enabled and the setting for per-key cache invalidation here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html#override-api-gateway-stage-cache-for-method-cache.

The error you are getting tells me that the setting for handle unauthorized requests is set to "Ignore cache control header. Add a warning in response header." And that it may still think you are unauthorized.

jsonc
answered 2 years ago
  • AWSUser22001
    2 years ago

    Yes, it is a GET method and the Lambda has the policy to execute-api:InvalidateCache

0

I'm having the same problem here. Cache invalidation works properly only if I do not require authorization.

Also, I can't understand from the documentation if authorization also works with a custom authorizer on API gateway. My authorization mecanism on API gateway is based on a bearer jwt token with a lambda authorizer that returns a policy. I tried to return the proper policy execute-api:InvalidateCache from the custom authorizer but it didn't work as expected.

I also tried with an IAM based authorization and a signed http request but it did not work neither. I had a user with the proper policy (I did not try with a role).

Also I did not try with a lambda calling the API gateway.

I suspect there is something around roles vs policies that I don't do properly...

Also, can you confirm if it can work with a custom authorizer or not ?

bruno
answered 2 years ago
0

Facing the same issue.

Created a policy, and attached it to the role which lets API Gateway invoke functions etc. Tried via postman with a valid JWT for a user in Cognito, and I get the warning header.

Which role is the policy supposed to be attached to exactly?

Pablo
answered 6 months ago
0

I am facing same issue. Here is a post that I found https://repost.aws/questions/QUqjodpSPlTnm8Y3B9wm9Wfw/can-i-use-api-gateway-cache-invalidation-with-a-custom-authorizer It states that at the moment only AWS_IAM authorization supports cache invalidation. Looks like it still works in this way.

Vishal Rana
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content