I want to have two endpoints on a service, a publically accessible one and one that is exposed "for administrative" use, secured with an API key and other mechanisms.
The diagram shows the configuration I have created (using serverless, incidentally), like this:
events:
# The path "/" is needed to allow requests to "root"
- http: {path: /, method: any, private: false}
# Add private /admin path, that requires the api key
- http: {path: /admin/{proxy+}, method: any, private: true}
- http: {path: /{proxy+}, method: any, private: false}
The configuration seems to work to CREATE the api gateway. And requests to <domain>/ and to <domain>/<various>/paths seem to work fine when <various> is not "admin" -- NO api key required, and the lambda to which this API Gateway spins up.
BUT.. any requests to <domain>/admin/various/paths give me a 403/Forbidden instantly, indicating that API Gateway is blocking the request instantly, I think. LOgs on the lambda show no activity.
Here's a curl response
HTTP/2 403
date: Wed, 24 Feb 2021 13:19:52 GMT
content-type: application/json
content-length: 23
x-amzn-requestid: aea11b1f-589d-42d2-9df2-44b53f1d543d
x-amzn-errortype: ForbiddenException
x-amz-apigw-id: XXXXXXX
I Am sending the correct api key with x-api-key header. Is there any way to diagnose exactly why this is failing for .../admin endpoints, only. Is there something about this approach that simply won't work?
P.S. I looked on meta.stackexchange and it seems ambiguous if this sort of question is appropriate on stackoverflow, but there are lots of existing Q's and this seems to me to be part of sw development these days.
