AWS API Gateway UnrecognizedClientException with Generated Javascript SDK

0
votes

I'm encountering a 403 status code with an UnrecognizedClientException in the x-amzn-errortype header of the response to my API Gateway GET Request using the generated Javascript SDK. The Resource being called utilizes IAM Auth which differentiates the users role based on their user group.

Here is my API Client Initialize Function

function initializeAPIClient(accessKey, secretKey, sessionToken){
    var config = {
        region : region,
        accessKey : accessKey,
        secretKey : secretKey,
        sessionToken : sessionToken
    }
    apigClient = apigClientFactory.newClient(config);
}

Here is my GET request Function

function testCall(){
    var params = '';
    var body = '';
    var additionalParams = '';

    apigClient.testCallGet(params, body, additionalParams)
    .then(function(result){
        alert("Permissions are available to this user.");
    })
    .catch(function(result){
        alert("Permissions are NOT available to this user.");
    });
}

Here are my request headers:

:authority:[API_ENDPOINT]
:method:GET
:path:/[STAGE]/[RESOURCE]
:scheme:https
accept:application/json
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
authorization:AWS4-HMAC-SHA256 Credential=[ACCESS_KEY_ID]/20170406/[REGION]/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-date, Signature=[SIGNATURE]
origin:http://localhost:8000
referer:http://localhost:8000/php/[PAGE].php/?username=[USERNAME]&sessionToken=[SESSION_TOKEN]
user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-amz-date:20170406T180808Z
x-amz-security-token:[SESSION_TOKEN]

I'm not sure what could be causing this. The solutions recommended when I search UnrecognizedClientException seem to suggest doing what I'm already doing.

1
javascriptamazon-web-servicesauthenticationhttp-headersaws-api-gateway
How are you generating your access key & secret key? Does the region match the region of your API Gateway api? - Mark Mucha
Hey Mark, I think you replied to my AWS forum question as well, but I'm going to post an answer here for consistency. Basically it was the use of my id token as the session token that ended up being the error in my logic, which was not clarified by the code above. - John Riley

1 Answers

0
votes

I've solved my own issue, so here's the answer for anybody who runs into a similar logic error. Do NOT use the Id token as your session token, which is what I was doing. The id token is used to generate the session token, along with the access key and secret key. Do not confuse the two.