AWS API Gateway 403 Forbidden when calling from Lambda

Question

I have an API Gateway endpoint with IAM authentication, no Custom Domain Names, no API Key, API is deployed to Prod and no AWS WAF enabled (TBMK) and VPC proxy integration request method.

I am calling this endpoint from a Lambda (with attached execute-api:Invoke permission to call the API), however I am getting a 403 error with message Forbidden. Notice that if I remove the IAM authentication method, the call from Lambda works fine.

I've already seen this and this SO questions + AWS Doc on the topic but I've already tried these solutions (as explained before).

Sample code for calling API Gateway inside Lambda:

final HttpURLConnection connection = (HttpURLConnection) new URL(postApiUrl).openConnection();
connection.setRequestMethod("POST");
final int responseCode = connection.getResponseCode();
//...

How I attach API Gateway ARN to Lambda role in CDK:

this.addToRolePolicy(
      new PolicyStatement({
          actions: [execute-api:Invoke],
          effect: Effect.ALLOW,
          resources: [postMethod.methodArn],
      }),
);

Just to give you a little more context, with the Test feature in API Gateway Web Console it works fine. It just doesn't with Lambda. TBH, I don't think that auth issues are because of VPC Link and resources (Lambda needs to be auth-ed to call API Gateway, no permissions are needed for VPC resources). — justHelloWorld, Jun 10 '20 at 09:47
Lambda structure is managed through CDK. As explained, Lambda as the necessary invoke role attached to it. — justHelloWorld, Jun 10 '20 at 09:47
Do you have a resource policy set up for the API Gateway? Is your Lambda function in a VPC? — Paradigm, Jun 10 '20 at 12:59
@Marcin I updated the question with sample codes for how I call lambda & CDK code — justHelloWorld, Jun 10 '20 at 17:25

score 2 · Accepted Answer · edited Sep 21 '22 at 05:36

You have set up IAM authentication for your API GW method, but your Lambda function code does not sign the request made to API GW. Note: Simply adding the execute-api:Invoke permission to the Lambda function execution role does not sign the request.

You need to use the AWS SigV4 signing process to add the authentication information which is then verified on the API GW end. This doc lists the steps involved which basically are:

Create a canonical request.

Use the canonical request and additional metadata to create a string for signing.

Derive a signing key from your AWS secret access key. Then use the signing key, and the string from the previous step, to create a signature.

Add the resulting signature to the HTTP request in a header or as a query string parameter.

Since you're using Java, this blog post also provides some sample code which you can refer to.

Mrk Fldig · Answer 2 · 2020-06-10T18:26:31.273

-2

APIG has a authorizer cache, check this out.

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/

If you could have a read and perhaps elaborate a little I'll include the proper solution.

edited Jun 10 '20 at 18:26

answered Jun 10 '20 at 14:17

Mrk Fldig

4,244
5
33
64

1

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/26375830) – Dunedan Jun 10 '20 at 17:59
@Dunedan Thanks for this I understand, so the problem is given limited information there are one of a number of causes from long a document, I've revised my answer to reflect that. – Mrk Fldig Jun 10 '20 at 18:25

AWS API Gateway 403 Forbidden when calling from Lambda

2 Answers2

Linked