22

I have an AWS Lambda function that is exposed as a REST API.

When it is invoked it via the Test button on aws lambda console, it works.

When it is invoked via a online REST client, i get 403 error. It was created as requiring - no authentication (Open).

What configuration am i missing?

Jasper
  • 8,440
  • 31
  • 92
  • 133
  • Can you look at the CloudWatch logs and provide more details? CloudWatch logs each step of the Lambda function and this should help with debugging. – Matt Auerbach Oct 13 '15 at 19:54
  • 1
    Matt> I checked...but can't find any logs corresponding to the REST based invocation, simply because invocation itself fails due to 403(forbidden). Any other ideas? – Jasper Oct 14 '15 at 03:19
  • 1
    Presumably the lambda is accessed via API gateway. What happens when you invoke via the 'Test' button in API gateway console? http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-test-method.html – Mike76 Oct 15 '15 at 17:50
  • Did you resolve this? I am experiencing odd behavior wherein: the lambda proxy integration works fine via the APIG console; I have two GET paths, `/some/path?query=param` and `/some/path/:id`. From Postman client, the former works but the latter returns the 403 you describe. – Kwhitejr Nov 11 '19 at 00:33
  • how to do this ? It was created as requiring - no authentication (Open) ? how can I create it as no authentication ? – Surinder Jul 20 '20 at 04:43
  • I had this problem, so I enabled logs to try to debug it and suddenly the problem went away. I destroyed the resources and recreated, even removed the cloudwatch logs role from the settings and the problem is gone. Woosh! Account-level something?! – antirealm Jul 19 '21 at 10:19

5 Answers5

22

Supposedly the Lambda is exposed through an AWS API Gateway. One reason why you'd get 403 on a fresh "no authentication" API Gateway resource is because you haven't yet deployed your changes.

In API Gateway Console click the Actions dropdown and select Deploy API.

You should be good to go.

David Salamon
  • 2,361
  • 25
  • 30
11

Perhaps you are sending request to a wrong endpoint.

I was getting 403 error response by sending a POST request to https://example.com/locate

However, once I added stage http://example.com/dev/locate and deployed changes to this API, it worked ok, returning 200 response.

enter image description here

Hope that helps.

sapenov
  • 1,501
  • 1
  • 10
  • 7
9

You have to first make sure that CORS is enable at AWS API Gateway if you are accessing it from different domain because, it is API gateway which is throwing 403 error not the lambda function. You can enable CORS for a method or for complete resource. Select Actions and then select Enable CORS . This will add OPTIONS method to the resource if not already exist.

Enabling CORS on API gateway will make sure that all response headers will have Access-Control-Allow-Origin value set to '*' (i.e allow all origins, but you can specify specific origin e.g. http://localhost).

Enable CORS for method

Always make sure you are invoking correct URL. You can get url from Stage section of API Gateway or from Lambda Function (if you have set Lambda function as integration end point)

API url -> API Gateway -> Stage

API Url -> Lambda function

You can see new headers set in Method and Integration responses.

enter image description here

Arpit
  • 991
  • 14
  • 17
1

If you are writing logs to cloudwatch, then make sure CloudWatch log role ARN is configured. It can be accessed from API --> settings.

ICICI81
  • 101
  • 1
  • 9
0

If you are using authorisation of AWS then AWS calculate signature.

If you passing get or post params has to send it in alphabetically order.

Reason because when you pass token calculating signature UI or front end calcuate basis order which you added but AWS recalculate signature as per alphabetically order to match signature.

Try sending params in alphabetically order.

post = { 'id': 23, 'tag': '35353 }

Avinash Dalvi
  • 8,551
  • 7
  • 27
  • 53