AWS - Cloudfront distribution + API Gateway - 403 Forbidden

Question

I'm trying to serve a API Gateway from a Cloudfront distribution but I'm still getting a 403 response even though deployment has no error.

Calling endpoint via its invoke url from web console works right, expected data is returned.

The distribution also serve a static site from an S3 bucket, but that works perfectly.

The distribution is configured to log to an S3 bucket, but logs are not of help (see below).

Probably I'm missing some configuration, but I really can't tell what nor where.

Cloudformation template

Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        HttpVersion: http2
        Origins:
          - Id: Bucket
            # ...
          - Id: ApiGateway
            DomainName: !Sub '${ApiGateway.RestApiId}.execute-api.${AWS::Region}.amazonaws.com'
            CustomOriginConfig:
              OriginProtocolPolicy: https-only
              HTTPPort: 80
              HTTPSPort: 443
        DefaultRootObject: index.html
        DefaultCacheBehavior:
          Compress: true
          ViewerProtocolPolicy: allow-all
          TargetOriginId: Bucket
          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6   # default CachingOptimized
        CacheBehaviors:
          - PathPattern: /api/*
            TargetOriginId: ApiGateway
            AllowedMethods: [ GET, HEAD, OPTIONS]
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # CachingDisabled
          - TargetOriginId: Bucket
            # ...
        Logging:
            # ...

  ApiGateway:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: !Sub my-api-gateway-${StageName}

  ApiGatewayExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ApiGatewayExecutionRole-${StageName}
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - apigateway.amazonaws.com
            Action:
              - sts:AssumeRole

  ApiGatewayExecutionPolicy:
    Type: AWS::IAM::Policy
    DependsOn:
      - GetLatestArtistsExecutionRole
    Properties:
      PolicyName: !Sub ApiGatewayExecutionPolicy-${StageName}
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - lambda:InvokeFunction
            Resource: # a lambda ARN
          - Effect: Allow
            Action:
              - lambda:InvokeFunction
            Resource: # a lambda ARN
      Roles:
        - !Ref ApiGatewayExecutionRole

Logs

date	time	x-edge-location	sc-bytes	cs-ip	cs-method	cs(Host)	cs-uri-stem	cs-status	cs(Referer)	cs(User-Agent)	cs-uri-query	cs(Cookie)	x-edge-result-type	x-edge-request-id	x-host-header	cs-protocol	cs-bytes	time-taken	x-forwarded-for	ssl-protocol	ssl-cipher	x-edge-response-result-type	cs-protocol-version	fle-status	fle-encrypted-fields	c-port	time-to-first-byte	x-edge-detailed-result-type	sc-content-type	sc-content-len	sc-range-start	sc-range-end
2023-06-12	08:43:25	PMO50-C1	484	93.56.216.51	GET	0123456789abcd.cloudfront.net	/favicon.ico	403	https://0123456789abcd.cloudfront.net/api/my/endpoint	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	VAvnzOY5Vg5Ra1jg5KeyQ7N986CUXU_ns76vHY_qdBNgMPeEE2p6yg==	0123456789abcd.cloudfront.net	https	423	0.204	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.204	Error	application/xml	-	-	-
2023-06-12	08:43:27	PMO50-C1	417	93.56.216.51	GET	0123456789abcd.cloudfront.net	/api/my/endpoint	403	-	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	XwIBTQDx6c3Oaqq7xkNGrqa6WIpfELU0qbXnXGAKCrKvr9ZmMZmlsg==	0123456789abcd.cloudfront.net	https	206	0.150	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.150	Error	application/json	23	-	-
2023-06-12	08:43:27	PMO50-C1	483	93.56.216.51	GET	0123456789abcd.cloudfront.net	/favicon.ico	403	https://0123456789abcd.cloudfront.net/api/my/endpoint	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	TGCaveojUlFJvx3cprpMpVTdtXPyPm9U2Xgxi4BFfSLhsdDGid9ykA==	0123456789abcd.cloudfront.net	https	34	0.163	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.163	Error	application/xml	-	-	-
2023-06-12	08:43:33	PMO50-C1	416	93.56.216.51	GET	0123456789abcd.cloudfront.net	/api/my/endpoint	403	-	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	nnPavByn3z8KA8f9iM4ams5PW0K6ZJmjX_h_sK1D6wWvnRbRlw72ZA==	0123456789abcd.cloudfront.net	https	40	0.117	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.117	Error	application/json	23	-	-
2023-06-12	08:43:33	PMO50-C1	484	93.56.216.51	GET	0123456789abcd.cloudfront.net	/favicon.ico	403	https://0123456789abcd.cloudfront.net/api/my/endpoint	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	44ITHM9SfJGqEzHycOAkEuiMCFfVApgdV6UL9xXTZ0PLwjklhWokTA==	0123456789abcd.cloudfront.net	https	34	0.175	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.175	Error	application/xml	-	-	-
2023-06-12	08:45:34	FCO50-P2	418	93.56.216.51	GET	0123456789abcd.cloudfront.net	/api/my/endpoint	403	-	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	4crypFQbvDZ2uvu7VzSW_v7AM2b8MzweSHhQYDzk2njxICwW0Q8obw==	0123456789abcd.cloudfront.net	https	455	0.075	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	44736	0.075	Error	application/json	23	-	-
2023-06-12	08:45:34	FCO50-P2	483	93.56.216.51	GET	0123456789abcd.cloudfront.net	/favicon.ico	403	https://0123456789abcd.cloudfront.net/api/my/endpoint	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	TOnok3F9P8-Gi9CM_7GtHtOTmVhkyQPcrJrbwJlui4HUCXRZo-IA4A==	0123456789abcd.cloudfront.net	https	148	0.134	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	44736	0.133	Error	application/xml	-	-	-
2023-06-12	08:45:42	PMO50-C1	483	93.56.216.51	GET	0123456789abcd.cloudfront.net	/favicon.ico	403	https://0123456789abcd.cloudfront.net/api/my/endpoint	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/114.0.0.0%20Safari/537.36	-	-	Error	v--hpkzq7TxOTxgZgku6C8ZTllGu_8OuUdGDfoS-OCMnyp5aYpoT1g==	0123456789abcd.cloudfront.net	https	34	0.180	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/2.0	-	-	58248	0.180	Error	application/xml	-	-	-

Answer 1

It looks like you are missing the CORS headers enabled in api gateway.

Try to enable them

ApiGateway:
  Type: AWS::ApiGateway::RestApi
  Properties:
    Name: !Sub my-api-gateway-${StageName}
    EndpointConfiguration:
      Types:
        - REGIONAL
    Cors:
      AllowOrigins:
        - '*' # Replace '*' with the appropriate origin(s) if known
      AllowMethods:
        - GET
        - HEAD
        - OPTIONS
      AllowHeaders:
        - Content-Type
        - X-Amz-Date
        - Authorization
      MaxAge: 300