Questions tagged with Amazon API Gateway

I have a simple lambda that I would like to *enable function URL* to assign an HTTPS endpoint; however, it is a container-based lambda, and I don't see *enable function URL* as an option in the *Advanced settings*. Do I have to use API Gateway to assign an endpoint to container-based lambdas or is there some other way to make it accessible?lg...

I'm implementing a model-based system User -> AWS API Gateway -> AWS PrivateLink -> Network Load Balancer -> EC2 (Apache with PHP). When I load test with the NLB endpoint directly there is absolutely no problem with high load. But when testing with the API Gateway endpoint I get a lot of 500 error codes, Execution failed due to a network error communicating with the endpoint: Connection is closed, execution failed due to a timeout error (although it's a timeout error I get an error after very fast time). I'm wondering if there's something wrong with AWS PrivateLink? Can someone help me, thankslg...

Hello guys ! I want to create an **Android app** that uses AWS to do heavy calculations (ie generate images with stable diffusion). The app will ask for these AWS ressources with **Amazon API Gateway**. Unregistered users must not be able to access this API (they have to register and pay, first). I want to use **Google Login** as only way to sign in and log in (just like most games on Android ; no passwords). I heard Cognito User Pool was designed for this purpose. But now, I’m quite confuse. I need a callback URL to create a Cognito User Pool, but I don’t have any servers. I don’t have an URL to redirect to. How does this works ? Am I missing something ? Can’t I use Cognito this way, to ensure that only registered users can access my Amazon API Gateway ? Thanks in advance !lg...

I have ecs fargate service deployed through cloudformation stack. It was previously exposed on 8080 port with http ALBs & NLBs listeners. After moving to secure 8443 container port with 443 HTTPS listener, API gateway is throwing below error. ``` {"message": "Internal server error"} - Execution failed due to configuration error: Host name 'host.name.ignored.for.vpc.amazon.com' does not match the certificate subject provided by the peer (CN=devprm.people.amazon.dev). ``` Any help will be appreciated.lg...

Greetings, I intend to build a web application and I am using Cognito for the authentication process. I am new to Cognito and so far have used the implicit grant flow. As far as I understand, when using implicit grant the App Client returns access tokens embedded in the callback URL which are usually extracted and stored in the browser's cookies for subsequent API calls. Now, when using Authorization Code Grant, I understand that a code is returned in the callback URL after authentication, which is later sent to Cognito and Cognito returns an access token and ID token. However, it does not come clear to me how in this flow should one use these tokens for subsequent API calls. For example, in a micro-services web application a user after logging in would like to use service A or service B which have their own API Gateway endpoints and somehow the user needs persistent/stored tokens to use these endpoints. Thanks in advance.lg...

I am trying to create a proxy integration for Lambda invocation from API Gateway for a specific route (example.com/auth/{proxy+}, example.com/user/{proxy+}, etc..). I am creating a script for automated infrastructure initialization and deployment (without using CloudFormation, Terraform, etc.) directly from the .NET script that is planned to be available as an API. The predefined infrastructure contains Route53 config, created API Gateway with custom domain. The dynamic infrastructure contains S3 and Lambda together with API Gateway modifications and deployment. Once the bucket for a new service is created and the built app is pushed to the bucket, a new Lambda function is created, configured and published. The last thing that is left is to create a new resource (route) that will invoke the underlying Lambda function and its underlying routes (e.g. example.com/auth/register). The issue is that when I create an integration on a non-root resource, the Lambda function cannot be found or the Uri is not specified as it should be (this is something I am trying to figure out). Here is the simplified code that I wrote to accomplish this (I will exclude the Lambda function and S3 bucket created and show only API gateway and Lambda resource policy updates as they are relevant here). Important to note is that this code produces the same results as if it were done via the AWS console. Also, this code creates a working solution if the route is not specified (e.g. example.com/register) ``` var functionArn = await Lambda.GetFunctionArn(accessKey, secretKey, region, lambdaFunction); var pathResponse = await c.CreateResourceAsync(new CreateResourceRequest { ParentId = rootId, PathPart = path, RestApiId = apiId }); await c.PutMethodAsync(new PutMethodRequest { AuthorizationType = "NONE", HttpMethod = "ANY", ResourceId = pathResponse.Id, RestApiId = apiId }); var proxyResponse = await c.CreateResourceAsync(new CreateResourceRequest { ParentId = pathResponse.Id, PathPart = "{proxy+}", RestApiId = apiId }); await c.PutMethodAsync(new PutMethodRequest { AuthorizationType = "NONE", HttpMethod = "ANY", ResourceId = proxyResponse.Id, RestApiId = apiId }); await Lambda.AddPermissions(account, accessKey, secretKey, region, lambdaFunction, apiId, path); await c.PutIntegrationAsync(new PutIntegrationRequest { HttpMethod = "ANY", IntegrationHttpMethod = "POST", ResourceId = pathResponse.Id, RestApiId = apiId, PassthroughBehavior = "WHEN_NO_MATCH", Type = IntegrationType.AWS_PROXY, Uri = $"arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/{functionArn}/invocations" }); await c.PutIntegrationAsync(new PutIntegrationRequest { HttpMethod = "ANY", IntegrationHttpMethod = "POST", ResourceId = proxyResponse.Id, RestApiId = apiId, PassthroughBehavior = "WHEN_NO_MATCH", Type = IntegrationType.AWS_PROXY, Uri = $"arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/{functionArn}/invocations" }); var deployment = await c.CreateDeploymentAsync(new CreateDeploymentRequest { Description = $"API deployment to {environment}", RestApiId = apiId, StageName = environment }); return deployment.Id; ``` where `Lambda.AddPermissions` is as follows: ``` var basePermission = await c.AddPermissionAsync(new AddPermissionRequest { Action = "lambda:InvokeFunction", FunctionName = name, Principal = "apigateway.amazonaws.com", SourceArn = $"arn:aws:execute-api:{region}:{account}:{apiId}/*/*/{path}/*", StatementId = Guid.NewGuid().ToString() }); var proxyPermission = await c.AddPermissionAsync(new AddPermissionRequest { Action = "lambda:InvokeFunction", FunctionName = name, Principal = "apigateway.amazonaws.com", SourceArn = $"arn:aws:execute-api:{region}:{account}:{apiId}/*/*/{path}", StatementId = Guid.NewGuid().ToString() }); return new List<string> { basePermission.Statement, proxyPermission.Statement }; ``` Is there an issue with SourceArn specifications? I first created them through the AWS console (they are automatically created when the integration is created for Lambda) and they are the same. Again, this all works when there is no path (non-root resource).lg...

HI, All API gateway called either through Postman or Unity are now giving 401 unauthorised to endpoints which were working fine. Nothing has been changed on my side which leads me to think AWS has changed something, For example, using an POST method API with a Cognito User Pool Authorizer worked fine with a username and password through Unity and Postman. Now they don't. Thanks! Bhavlg...

Hello, I configured API gateway & lambda function to update one of my dynamodb table. Completed testing with API gateway menu, so also tried with curl, but it fail. Checked cloud watch log, I only can see path parameter, body is not passed correctly. How can I fix it? As I know, PUT request could have body to update database table attribute value, but it's not in my case. I also configured 'use lambda proxy integration' option in 'integration request'. For better understanding, I also add my configuration in below. **Resource** /card/{card_no} GET DELETE PUT <-- this is the problem **tested by API gateway test client** INIT_START Runtime Version: python:3.9.v16 Runtime Version ARN: xxxx START RequestId: xxxx Version: $LATEST Event: { "resource": "/card/{card_no}", "path": "/card/1", "httpMethod": "PUT", "headers": null, "multiValueHeaders": null, "queryStringParameters": null, "multiValueQueryStringParameters": null, "pathParameters": { "card_no": "1" }, ... "body": "{\n \"card_no\": 1,\n \"nickname\": \"name\",\n \"overall_type\": \"type\"\n}", "isBase64Encoded": false } END RequestId: xxxx REPORT RequestId: xxxx Duration: 1322.79 ms Billed Duration: 1323 ms Memory Size: 128 MB Max Memory Used: 66 MB Init Duration: 236.32 ms **tested by curl** curl -v -X PUT \ 'https://xxxx.amazonaws.com/dev/card/1' \ -H 'content-type: application/json' \ -d '{"card_no": 1,"nickname": "nickname","overall_type": "type"}' Trying xxx.. Connected to xxxx (xxxx) port 443 (#0) ALPN: offers h2 ALPN: offers http/1.1 .... Using HTTP2, server supports multiplexing Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 h2h3 [:method: PUT] h2h3 [:path: /dev/card/1] h2h3 [:scheme: https] h2h3 [:authority: xxxx.amazonaws.com] h2h3 [user-agent: curl/7.86.0] h2h3 [accept: */*] h2h3 [content-type: application/json] h2h3 [content-length: 60] Using Stream ID: 1 (easy handle 0x14180c600) PUT /dev/card/1 HTTP/2 Host: xxxx.amazonaws.com user-agent: curl/7.86.0 accept: */* content-type: application/json content-length: 60 Connection state changed (MAX_CONCURRENT_STREAMS == 128)! We are completely uploaded and fine HTTP/2 200 date: xxx content-type: application/json content-length: 220 x-amzn-requestid: xxxx x-amz-apigw-id: xxxx x-amzn-trace-id: Root=xxxx Connection #0 to host 3pjqiu4m22.execute-api.ap-northeast-2.amazonaws.com left intact {"errorMessage": "'body'", "errorType": "KeyError", "requestId": "xxxx", "stackTrace": [" File \"/var/task/index.py\", line 12, in handler\n body_input = json.loads(event['body'])\n"]}% **cloud watch log when I send curl** INIT_START Runtime Version: python:3.9.v16 Runtime Version ARN: xxxx START RequestId: xxxx Version: $LATEST Event: { "card_no": 1 } ==> strange point, I added print in my python code to see all the request, but only path parameter passed, can't see body... [ERROR] KeyError: 'body' Traceback (most recent call last): File "/var/task/index.py", line 12, in handler body_input = json.loads(event['body']) END RequestId: xxxx REPORT RequestId: xxxx Duration: 1024.82 ms Billed Duration: 1025 ms Memory Size: 128 MB Max Memory Used: 64 MB Init Duration: 226.62 ms **lambda code** ```python import json import boto3 def handler(event, context) : print("Event: %s" % json.dumps(event)) client = boto3.resource('dynamodb') table = client.Table('CardInfo') body_input = json.loads(event['body']) response = table.update_item( xxx...xxx }, ReturnValues="UPDATED_NEW" ) return { 'statusCode': response['ResponseMetadata']['HTTPStatusCode'], 'body': json.dumps(response['Attributes'], default=str) } ```lg...

I read in this [article](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html) > To let a user sign in using Amazon Cognito credentials and also obtain temporary credentials to use with the permissions of an IAM role, use Amazon Cognito Federated Identities. For each API resource endpoint HTTP method, set the authorization type, category Method Execution, to AWS_IAM. Does anyone know to implement this from end to end? I can't find a guide. I'm trying to implement access to api gateway using cognito hosted UI loginlg...

hello guys, I'm trying to disable an API key to deny all access relative to my APIs, but when I flag it as disabled the API key still works. I expected that the API gateway could refuse access, but it's not happening.  As the API gateway didn't refuse the access and I'm using a custom lambda authorizer, I thought I should deny the access by myself right? I'm trying to deny it through the lambda authorizer, but I haven't seen any information on the context of the key that shows me if it is enabled or disabled.  As you can see in the image above, there isn't any information about if the key is enabled or disabled. Has someone any solution for this case? thank you. **Update Steps that I have tried: 1. I flagged my API key as disabled. 2. at API gateway > Resources > Actions -> Deploy API -> Add stage -> Deploy 3. I hit my API, and the key still works 4. Then I checked if some information came on context of my custom lambda authorizerlg...

I have an http api integration with cognito authorizer and I'm using implicit grant, the id_token is passed in the url as: https://abc.eu-central-1.amazonaws.com/abc#id_token=xyz My api gateway has Identity Source config as: $request.querystring.id_token The api gateway is failing to parse the id_token and ends up returning `{"message":"Unauthorized"}`. If I change the request manually to use ? instead of # infront of id_token everything works fine because hash fragments are not sent to the server: https://abc.eu-central-1.amazonaws.com/abc?id_token=xyz Any ideas how to sort this issue without changing the auth type? I can't believe I'm spending a day on such an issue.lg...

I've created a new project from a template HelloWorld. I use Rider and macOS. When I build the image with local configuration, the image is created successfully.  When I run the remote configuration I receive Runtime.InvalidEntrypoint  This is how my default template.yaml file looks like. ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > Sample SAM Template for HelloWorld # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: Function: Timeout: 10 MemorySize: 128 Resources: HelloWorldFunction: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: PackageType: Image Events: HelloWorld: Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api Properties: Path: /hello Method: get Metadata: DockerTag: dotnet6-v1 DockerContext: ./src/HelloWorld Dockerfile: Dockerfile DockerBuildArgs: SAM_BUILD_MODE: run Outputs: # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function # Find out more about other implicit resources you can reference within SAM # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api HelloWorldApi: Description: "API Gateway endpoint URL for Prod stage for Hello World function" Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/" HelloWorldFunction: Description: "Hello World Lambda Function ARN" Value: !GetAtt HelloWorldFunction.Arn HelloWorldFunctionIamRole: Description: "Implicit IAM Role created for Hello World function" Value: !GetAtt HelloWorldFunctionRole.Arn ``` This is how my Remote configuration looks like.  I use macOS and I read that Runtime.InvalidEntrypoint is thrown when the image is build with a different architecture type than the expected which make sense. macOS default configuration is arm64 and I guess lambda is expecting x86/64. If that's the case, how to setup the remote configuration so that the output is x64 image? lg...