Fixed : Preflight Response Error : Access-control-allow-origin is not allowed by Access-Control-Allow-Headers for Express Lambda with AWS API Gateway

Question

I have prepared an Lambda function using Express(node.js) and enabled the Authorization with IAM as well.

The API is working in the Postman as per below link : https://www.youtube.com/watch?v=KXyATZctkmQ&t=35s

As I'm fairly new with CORS policy and API concepts. I'm trying to access the sample using Ajax call.

So far I have prepared the Authorization Header as per documentation and few reference.

Git Repo Link : https://github.com/mudass1r/aws-iam-authorization.git

Reference Link for Signature Generation : https://gist.github.com/davidkelley/c1274cffdc0d9d782d7e

I have Enabled the CORS from AWS API Gateway for my API as well.

PS : The API is Deployed using Serverless Framework.

Step 1 : The error I'm facing initial when I dont include any headers:

Step 2 : Later when I add headers:

$.ajax(Signer(credentials, {
  url: <AWS API URL>,
  type: 'GET',
  dataType: 'json',
  async: true,
  crossDomain: true,
  contentType: 'application/json',
  headers: {
    "Access-Control-Allow-Origin" : "*"
  },
  success: function(data) {
    console.log(data);
  }
}));

After which I get the following error:

In my previous experience with this error we only need to enable the CORS for the API which resolves this issue. But the same is not in this cases. Following is the structure of the API resource.

I have been stuck in this problem for few day and came across some CORS policy reference links as well. https://fetch.spec.whatwg.org/#http-cors-protocol

Solution : Refer : Access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response

Thanks for your help in advance.

Answer 1

There are a few things to look at here.

1. Make sure that all resposnes from within your Lambda function are returning cors headers. I see that is the case in your example.
2. Make sure that the function itself is not returning an error. You can see this in the Serverless Framework dashboard if you are using that or CloudWatch. If so, you need to find a fix or catch the error and make sure the response also includes the required CORS headers
3. Otherwise, if your Authorization is returning a 403, for example, you will need to configure the responses for API Gateways 4XX responses in the resources section of your serverless.yml, since API Gateway by default does not apply cors to authorizer responses. Something like:

resources:
  Resources:
    GatewayResponseDefault4XX:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: DEFAULT_4XX
        RestApiId:
          Ref: 'ApiGatewayRestApi'