Why root returns 403 error in API Gateway

Question

I have a very simple lambda function that facilitates short URL redirection. Like so...

var env = process.env.NODE_ENV

exports.handler = async function (event) {
  var mappings = {
    "": "https://example.com",
    "/": "https://example.com",
    "/article1": "https://example.com/articles/article-title",
    "/podcasts": "https://example.com/podcasts"
  }
  return {
    body: null,
    headers: {
      "Location": mappings[event.path] || "https://example.com/four-oh-four"
    },
    isBase64Encoded: false,
    statusCode: 301
  }
}

The URL redirects just fine for all routes except the homepage (with or without a slash). Instead of the homepage, I get a "Missing Authentication Token" error from API Gateway (or Cloudfront rather).

Curling doesn't appear to reveal anything... (Updated the curl code, my bad I left the redirect).

$ curl -v https://short.url/
*   Trying xxx.xx.xxx.xx...
* TCP_NODELAY set
* Connected to short.url (xxx.xx.xxx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /path/to/ca-certificates.crt
  CApath: /path/to/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / xxxxxxxxxxxx-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.ib.run
*  start date: Apr  5 00:00:00 2019 GMT
*  expire date: May  5 12:00:00 2020 GMT
*  subjectAltName: host "short.url" matched cert's "short.url"
*  issuer: xxx; O=xxx; OU=xxx; CN=xxx
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle xxxxxxxx)
> GET / HTTP/2
> Host: short.url
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 403 
< content-type: application/json
< content-length: 42
< date: Sat, 20 Jul 2019 03:51:44 GMT
< x-amzn-requestid: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
< x-amzn-errortype: MissingAuthenticationTokenException
< x-amz-apigw-id: xxxxxxxxxxxxxx_
< x-cache: Error from cloudfront
< via: 1.1 xxxxxxxxxxxxxxxxxxxxxx.cloudfront.net (CloudFront)
< x-amz-cf-pop: xxxxx-xx
< x-amz-cf-id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx===
< 
* Connection #0 to host short.url left intact
{"message":"Missing Authentication Token"}

Do you have IAM authorization enabled on any of the GET methods for your various resources in API gateway? When I've encountered the 'missing authentication token' error it was because I was trying to call the API without an AWS signature. — Chris D'Englere, Jul 17 '19 at 01:38
I doubt that. I think it's coming from Cloudfront (API Gateway has a Cloudfront in front of it, and Cloudfront tends to return 403s for everything). Any route other than the root directs just fine. — Costa Michailidis, Jul 17 '19 at 17:04
Possible duplicate of [Missing Authentication Token while accessing API Gateway?](https://stackoverflow.com/questions/39655048/missing-authentication-token-while-accessing-api-gateway) — Martin Zeitler, Jul 25 '19 at 11:52

score 3 · Accepted Answer · answered Jul 22 '19 at 15:15

3

The response "Missing Authentication Token" is misleading. It suggests that you need to provide an Token. The real error is, that your routes in Api gateway are not setup properly. So it is basically an Route not found from api-gateway.

You need to provide a Route for "/" with a method or the any method and redirect it to the Lambda function. You probably setup an subroute but no route for "/"

At the moment the curl is hitting the url "/" with the method GET and Api-Gateway does not know how to route this call so it answers with: "Missing Authentication Token".

You can reproduce this behavior with every non existent route. Try: /sdfsdfsdf for example. You will get the same error.

Setup the route and you shoud be fine.

I hope I could help you!

Dominik

answered Jul 22 '19 at 15:15

DominikHelps

971
4
10

If I go to short.url/sdfsdfsdf, I receive my 404 page, as intended. Updating question... – Costa Michailidis Jul 25 '19 at 14:00
It worked! I had a proxy resource, but I just added your any method to the route, and that did the trick. Thank you : ) – Costa Michailidis Jul 25 '19 at 14:08
@Costa I still get Missing Authentication Token, how do you setup the root? – Weijing Jay Lin Mar 03 '20 at 01:11
@WeijingJayLin wooof. This error can be so tough to track down. Have you posted your question anywhere with details and such? – Costa Michailidis Mar 04 '20 at 16:38
1

@Costa, yes, I do have question over here, nobody pick up yet. I would be appreciated if you can post your answer. https://stackoverflow.com/questions/60498809/how-can-i-use-proxy-to-handle-the-root-resource-on-api-gateway-to-return-body – Weijing Jay Lin Mar 04 '20 at 21:09

Why root returns 403 error in API Gateway

1 Answers1