AWS API Gateway 403 Forbidden when calling from Lambda

0
votes

I have an API Gateway endpoint with IAM authentication, no Custom Domain Names, no API Key, API is deployed to Prod and no AWS WAF enabled (TBMK) and VPC proxy integration request method.

I am calling this endpoint from a Lambda (with attached execute-api:Invoke permission to call the API), however I am getting a 403 error with message Forbidden. Notice that if I remove the IAM authentication method, the call from Lambda works fine.

I've already seen this and this SO questions + AWS Doc on the topic but I've already tried these solutions (as explained before).

Sample code for calling API Gateway inside Lambda:

final HttpURLConnection connection = (HttpURLConnection) new URL(postApiUrl).openConnection();
connection.setRequestMethod("POST");
final int responseCode = connection.getResponseCode();
//...

How I attach API Gateway ARN to Lambda role in CDK:

this.addToRolePolicy(
      new PolicyStatement({
          actions: [execute-api:Invoke],
          effect: Effect.ALLOW,
          resources: [postMethod.methodArn],
      }),
);
2
amazon-web-servicesaws-api-gatewayhttp-status-code-403
Can you show relevant part of your lambda code?Marcin
Also, how did you integrated your api with vpc link?Marcin
Just to give you a little more context, with the Test feature in API Gateway Web Console it works fine. It just doesn't with Lambda. TBH, I don't think that auth issues are because of VPC Link and resources (Lambda needs to be auth-ed to call API Gateway, no permissions are needed for VPC resources).justHelloWorld
Lambda structure is managed through CDK. As explained, Lambda as the necessary invoke role attached to it.justHelloWorld
Do you have a resource policy set up for the API Gateway? Is your Lambda function in a VPC?Paradigm

2 Answers

2
votes

You have set up IAM authentication for your API GW method, but your Lambda function code does not sign the request made to API GW. Note: Simply adding the execute-api:Invoke permission to the Lambda function execution role does not sign the request.

You need to use the AWS SigV4 signing process to add the authentication information which is then verified on the API GW end. This doc lists the steps involved which basically are:

  1. Create a canonical request.
  2. Use the canonical request and additional metadata to create a string for signing.
  3. Derive a signing key from your AWS secret access key. Then use the signing key, and the string from the previous step, to create a signature.
  4. Add the resulting signature to the HTTP request in a header or as a query string parameter.

Since you're using Java, this blog post also provides some sample code which you can refer to.

-2
votes

APIG has a authorizer cache, check this out.

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-403-error-lambda-authorizer/

If you could have a read and perhaps elaborate a little I'll include the proper solution.