EventBridge to API Gateway ARN includes a trailing slash - aws-api-gateway

I set up an EventBridge target to API Gateway. For some reason the path receiving the request includes a trailing slash /.
The URL I want EventBridge to invoke (via API Gateway) is https://xyz123.execute-api.region.amazonaws.com/default/user/v1/ping
That URL works fine in a browser. However when executed via EventBridge I see this in my execution logs:
HTTP Method: GET, Resource Path: /user/v1/ping/
I also see that incorrect path if I go to https://xyz123.execute-api.region.amazonaws.com/default/user/v1/ping/ in a browser, which seems expected.
Here's my Terraform:
resource "aws_cloudwatch_event_target" "service" {
arn = "${aws_api_gateway_stage.default.execution_arn}/GET/user/v1/ping"
rule = aws_cloudwatch_event_rule.service.name
event_bus_name = "my bus"
}
The actual API Gateway is setup using a Lambda proxy integration:
/user/{proxy+} - ANY
I don't understand why EventBridge has a trailing slash. I'm pretty sure I can work around it by handling the slash in my Lambda code... I just don't think EventBridge should include it in the first place.

Related

serverless framework: configuring a pre-existing lambda authenticator for HTTP API Gateway routes in serverless.yml

I would like to add a preexisting lambda authenticator to the routes of a preexisting http api gateway using the serverless framework. I have followed the docs, whereby I have specified the authorizer details under provider.httpApi (lines 15 to 18), and I have referenced the authorizer on the route(s) below (line 27 & 28). Though I get the error message:
Cannot setup authorizers for externally configured HTTP API
What am I doing wrong here? It must be for a HTTP API gateway and not a REST API gateway as thats what the current infra is configured as. Thanks
It looks like you're using an externally configured HTTP API (I'm guessing from the id being set). In such a situation, you cannot configure authorizers in this manner, you can only do so when you're provisioning HTTP API as a part of your serverless service. What you can do there, is to setup a shared authorizer in a more manual way as described in docs here: https://www.serverless.com/framework/docs/providers/aws/events/http-api#shared-authorizer
I came across this post when researching how to use API gateway authorizers and serverless framework. I was terraforming the API gateway therefore needed to terraform the authorizer as well. When created, I stashed the authorizer ID in a parameter store entry. This is a 6 character alphanumeric value such as tw9qgj. I then referenced the parameter as follows:
custom:
authorizerId: ${ssm:api_gateway_authoriser}
Then added the following block to each API e.g.
- httpApi:
path: /protected
method: get
authorizer:
id: ${self:custom.authorizerId}

AWS - API Gateway - HTTPS Request returning 404 Not Found

I am working on creating a new request in AWS API Gateway. I am having issues with a 404 not found on the URL request.
The request (had to create fake one for the question):
GET https://hello.stackoverflow.com/services/misc/myroute/v1/swagger.json
I created a route in API Gateway ANY /services/misc/myroute/{proxy+}
I attached the route to a Load Balancer Listener integration
I set up the listener rule in the Load Balancer:
IF Path is /services/misc* Then Forward to Target
IF Requests otherwise not routed Then Forward to Default
Created logs for this system in the AWS API Gateway: Monitor -> Logging -> Set Log Destination
Set variables for the log format using the $context variables, Context Variables
Ex Log:
{ "requestId":"QWRHQKWFHWAFZ=",
"routeKey":"ANY /services/misc/myroute/{proxy+}",
"path":"/services/misc/myroute/v1/swagger.json",
"domain":"hello.stackoverflow.com",
"domain_prefix":"hello",
"httpMethod":"GET", "status":"404","protocol":"HTTP/1.1", "endpoint":-" }
One final check I have done to make sure its completing its "route" was see the requests in the monitoring and seeing the 4xx come from this ALB listener.
I can send the request via localhost and get a response with the json body
GET https://localhost:8080/v1/swagger.json --> Status 200 OK with body filled
In my quest to solve the issue, it has lead me to many older (2019) stack overflow questions that seem to be outdated with the AWS Console, same with the AWS documentation. See links below...
AWS API Gateway Method request path parameter not working
AWS API Gateway 404 page not found error when invoking endpoint url
AWS API Gateway Method request path parameter not working
With this being my first project in the AWS cloud space, I am not sure where else to turn. My guess would be the authentication headers from the API Gateway are being lost, but not sure where I can see this loss happening.
From my understanding of how the AWS Request Flow goes, I created this diagram:

Metaflow: "Missing authentication token" when accessing the metadata/metaflow service URL in the browser

I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.

Api Gateway (Regional) + Cloudfront return HTTP/2 403

If it is a test stage (in Api Gateway) I would like to be able to add the stage name explicitly to the url or remove from the api call. Both should hit the stage environment.
Setup a regional rest API Gateway
Configured GET method /test/v1/health (test is stage name)
Deployed API
I can access it using the URL https://.execute-api..amazonaws.com/test
I can make calls to https://api-id.execute-api.region.amazonaws.com/test/v1/health and it is all good
Setup a regional custom domain api.example.com
Added a Base Path Mappings /v1 to test environment. Basically I would like to call https://api.example.com/v1/health since I want to have multiple stages but I don't want to specify test environment in the url. This should be optional.
Created a Cloudfront distribution and setup the origin to be the regional custom domain such as d-api-id.execute-api.region.amazonaws.com (note the d since this is regional) and Origin Path blank.
Updated my external DNS CNAME to map api.example.com to the cloudfront address.
Try to call https://api.example.com/v1/health and I get an HTTP 403.
Not sure what is going wrong here. Any ideas how to fix this issue would be appreciated.

How to map / to index.html in AWS API Gateway

I'm using API Gateway as a proxy to fan out requests to different services based on the requested url. For example, /api/${proxy+} is mapped to an EKS cluster with my REST api behind it. But everything that's not under /api is mapped to an S3 bucket with my static files. That's the /${proxy+} part as seen below. It's all working, except that when I request / it returns "Missing Authentication Token." Weird, because /${proxy} doesn't require API tokens or authentication of any kind.
My setup is shown below:
I have tried a variation where I added a method on "/" and return index.html specifically from that S3 bucket