121

I have created an API Key and added it to my functions. I have then deployed the api and tested it but still get:

"message": "Forbidden"

How do I pass the api key with my JSON request as I have been using "x-api-key": "theKey"?

Grokify
  • 15,092
  • 6
  • 60
  • 81
cdub
  • 24,555
  • 57
  • 174
  • 303
  • 2
    this [post](http://www.awslessons.com/2017/aws-api-gateway-adding-apikey-requests/) explained it for me! – phouse512 Feb 26 '17 at 04:48

12 Answers12

140

The x-api-key parameter is passed as a HTTP header parameter (i.e. it is not added to the JSON body). How you pass HTTP headers depend on the HTTP client you use.

For example, if you use curl and assuming that you POST the JSON payload, a request would look something like (where you replace [api-id] with the actual id and [region] with the AWS region of your API):

$ curl -X POST -H "x-api-key: theKey" -H "Content-Type: application/json" -d '{"key":"val"}' https://[api-id].execute-api.[region].amazonaws.com
matsev
  • 32,104
  • 16
  • 121
  • 156
  • Yes I use NSMutableURLRequest *request in ios sdk which then you can add the key too and it worked – cdub Aug 22 '16 at 01:57
  • 2
    Is there a way to use our own custom header name instead of "x-api-key" header name? – Manik Arora May 26 '21 at 06:34
  • 4
    Still relevant in 2021 - you would think the AWS docs would be a bit more specific on how (for example in Postman) you can provide your API key to test this functionality – bownie Sep 07 '21 at 10:39
122

I had to add an API Usage plan, and then link the plan to the API stage.

Seems like this is the only way to link the key to the API, not sure if this is a recent change on AWS.

TimoSolo
  • 7,068
  • 5
  • 34
  • 50
  • 27
    I just ran into the same issue. Took me half an hour to figure out what's going on. This lousy error message: `{"message":"Forbidden"}` wasn't helpful at all. Thanks AWS!! – kev Nov 09 '17 at 01:11
  • 15
    Classic AWS. Just miss out a vital part of the documentation and don't tell you what the problem is in the error message or how to fix it. Thanks, this solved it for me. – Rich Smith Feb 15 '18 at 10:53
  • This helped me. – Shamal Karunarathne Jun 22 '18 at 15:58
  • 8
    don't forget to deploy again! – AlleyOOP Dec 08 '19 at 19:45
  • 5
    The way I found the solution was to activate logging. That needs a Role for apigateway with the permission AmazonAPIGatewayPushToCloudWatchLogs. In the logging, the message is actually very clear: "API Key ***** not authorized because method 'POST /predict' requires API Key and API Key is not associated with a Usage Plan for API Stage x______y/stg: No Usage Plan found for key and API Stage" – peter_v Jan 22 '20 at 16:30
  • Is there a way to use our own custom header name instead of "x-api-key" header name? – Manik Arora May 26 '21 at 06:35
  • so circumvoluted – Kaymaz May 12 '22 at 19:58
48

If you set 'API Key Required' option to true, please check below.

  1. you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.

  2. The API Key had to be created.

  3. In addition, you need to check a Usage Plan for the API Key on API Gateway Console.

Pang
  • 9,564
  • 146
  • 81
  • 122
Daniel Jihoon Oh
  • 1,809
  • 1
  • 10
  • 4
41

If you set 'API' key required to true, you need to pass the api key as header.

API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points

  1. Do you have a Usage Plan? if not need to create one.
  2. Link you API with Usage Plan. For that add a stage, it will link your API
  3. Do you have API Key? if not you need to create an API Key and enable it.
  4. Add the Usage Plan which is linked with your API to this API Key. For that, add Usage Plan.
bisw
  • 827
  • 9
  • 13
25

I hope you are not missing to link the API key with the API API-Gateway Configuration

Partha
  • 814
  • 6
  • 13
16

I was able to get a successful response from Lambda using below configuration in Postman native app -

Under authorization tab (For some reason this didn't work when i passed the same parameters under header)

Key : x-api-key

Value : your-api-key-value

Add to : Header

Abhishek Poojary
  • 749
  • 9
  • 10
6

I don't have enough reputation to set this as a comment, But I was finally able to find the document specifying that 'x-api-key' belongs in the header for API Gateway calls that come from outside clients (like postman, swagger, etc.) in the AWS Documentation.

The relevant part:

To use header-sourced API keys:

  1. Create an API with desired API methods. And deploy the API to a stage.
  2. Create a new usage plan or choose an existing one. Add the deployed API stage to the usage plan. Attach an API key to the usage plan or choose an existing API key in the plan. Note the chosen API key value.
  3. Set up API methods to require an API key.
  4. Redeploy the API to the same stage. If you deploy the API to a new stage, make sure to update the usage plan to attach the new API stage.

The client can now call the API methods while supplying the x-api-key header with the chosen API key as the header value.

Choose an API key source

MarMar
  • 180
  • 2
  • 8
5

For Private API Gateways accessed through public DNS, we need to pass additional header of 'x-apigw-api-id' with the api id along with 'x-api-key' if configured.

curl -v https://{vpce-id}.execute-api.{region}.vpce.amazonaws.com/test -H 'x-apigw-api-id:{api-id}'

Its documented below,

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w20aac13c16c28c11

msounthar
  • 343
  • 4
  • 8
  • My issue was that I had included this x-apigw-api-id header for a public API Gateway by mistake. Removing it worked for me. – Skromak Feb 18 '21 at 14:01
3

Here a good resource explaining different reasons why we could be getting a Forbidden. The two most important are the request URL and the x-api-key header:

https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/{resource_name}

Missing stage name will give you 403 for ex. Maybe for security reasons the response is not revealing an issue with the stage name, and thus you get a generic Forbidden.

Mike Bendorf
  • 460
  • 6
  • 7
2

I faced the same problem today. I had already mapped the API key to the usage plan (which was linked to the api gateway stage). I was also passing the api key in header correctly.

When none of these solutions work, do remember to check if your API is linked to WAF policy with only a certain ip-addresses permitted. Apparently, my IP address had changed today. So, WAF was blocking me. That can be an additional reason to get {"message": "Forbidden"} error.

Ajeet Mishra
  • 342
  • 2
  • 8
1

I had the same issue today, but my problem was that I forgot to associate a usage plan with a stage.

Usage Plan -> Details -> Add Stage

Pythoner
  • 460
  • 6
  • 23
0

A source of error can be the global setting for "Api Key Source".

In the console, when inside the API, navigate to "Settings" > Scroll down to "API Key Source" > Select "HEADER".

enter image description here

Finch_Powers
  • 2,938
  • 1
  • 24
  • 34