1

I have an API Gateway as a custom origin on a CloudFront distribution hosted on a custom domain. The API works great when I call it from amazonaws.com url but from my custom domain I get "Missing Authentication Token". I assume I have the CloudFront distribution configured wrong somehow? 

Dashboard:
  Type: 'AWS::CloudFront::Distribution'
  Properties:
    DistributionConfig:
      Aliases:
        - promptdash.com
      CacheBehaviors:
        - AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          ForwardedValues:
            QueryString: false
            Headers: []
          PathPattern: api/*
          TargetOriginId: rest-api-origin
          ViewerProtocolPolicy: https-only
      DefaultCacheBehavior:
        Compress: true
        ForwardedValues:
          QueryString: false
          Headers: []
          Cookies:
            Forward: none
        TargetOriginId: static-site-origin
        ViewerProtocolPolicy: allow-all
      DefaultRootObject: index.html
      Enabled: true
      Origins:
        - DomainName: ddg-prompt.s3.amazonaws.com
          Id: static-site-origin
          S3OriginConfig:
            OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${AccessIdentity}

        - DomainName: !Sub ${Api}.execute-api.${AWS::Region}.amazonaws.com
          Id: rest-api-origin
          CustomOriginConfig:
            OriginProtocolPolicy: https-only
          OriginPath: /prod
      PriceClass: PriceClass_100
      ViewerCertificate:
        AcmCertificateArn: arn:aws:acm:us-east-1:(my AccountId):certificate/(the certificate)
        SslSupportMethod: sni-only
Ava
  • 2,038
  • 3
  • 23
  • 45
  • It appears you are not forwarding any request headers through CloudFront. By default, most headers are dropped, since CloudFront doesn't have a way to know whether they might cause the origin to vary its response. Are there some headers you need API Gateway to seen, such as `x-api-token` or `Authorization`? – Michael - sqlbot Jan 21 '18 at 01:41
  • Also, for testing, set your error caching minimum TTL to 0, or it will potentially take several minutes for your changes to actually be visible: https://stackoverflow.com/a/35541525/1695906 – Michael - sqlbot Jan 21 '18 at 01:42

0 Answers0