5

I have seen posts about this but no questions or answers that match my problem closely enough to provide a valid answer.

I can not send requests to the API through my browser.

The problem, as far as I understand is that when you send a request to the API-gateway; the browser will first send a preflight options request. this preflight request will not add any custom headers ie: x-apigw-api-id header. This then causes a 403 to be returned without even hitting the options request.

My understanding is that the client has no control over the preflight request, it is handled by the browser.

The get request works through postman and so does the options request but only if I add the x-apigw-api-id header for each request.

headers returned through postman with x-apigw-api-id added to request

{"Access-Control-Allow-Origin":"*","Access-Control-Allow-Methods":"GET,OPTIONS","Access-Control-Allow-Headers":"Content-Type,X-Api-Key,","Content-Type":"application/json"}

I remove the header I get a 403 forbidden.

Is there a workaround for this problem? perhaps not needing the x-apigw-api-id when sending an options request?

Some of the questions I looked up prior to posting:

Kevin
  • 2,258
  • 1
  • 32
  • 40

2 Answers2

1

This issue can be solved by associating a VPC endpoint to your private API. This will generate a Route53 alias to your private API. From the documentation,

When you associate a VPC endpoint with your private API, API Gateway generates a new Route53 ALIAS DNS record which you can use to invoke your private APIs just as you do your edge-optimized or regional APIs without overriding a Host header or passing an x-apigw-api-id header.

https://docs.aws.amazon.com/apigateway/latest/developerguide/associate-private-api-with-vpc-endpoint.html

Munavir Chavody
  • 489
  • 4
  • 16
  • That record is only resolvable from within the VPC, which is likely not where your browser is running. At least in my case that record isn't resolvable from my laptop, even though I can connect to the vpc endpoint, so this doesn't solve it – Ulrar Jul 08 '20 at 10:12
  • @Ulrar There are two dns names, normal API GW dns name which is resolvable via AmazonDNS server. i.e., with in VPC or hybrid network which forward the resolution to AmazonDNS server. Other one is a public dns which resolvers to the private IP of your APIGW endpoint. – Munavir Chavody Jul 08 '20 at 15:28
  • Right, I had a case opened with AWS and they found me this : -.execute-api.us-east-1.amazonaws.com. That URL resolves from anywhere to the private IP, and can be used from a browser without setting the x-apigw-id header – Ulrar Jul 11 '20 at 05:43
1

Based in the solution exposed by Ulrar. A private API gateway expose an option for make request without use any additional header. This URL is formed by:

https://< api-id >-< vpce-id >.execute-api.< region >.amazonaws.com

This solution is useful for CORS issues in direct browser integrations.

Mario Petrovic
  • 7,500
  • 14
  • 42
  • 62
Sebastián Gallego Herrera
  • 11
  • 2
  • Thanks, this worked for me :) This assumes you have Private DNS enabled. More info here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w13aac17b9c32c26c13 and also here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint – Connor May 04 '21 at 14:14