I have deployed a basic AWS API, Below are the screen shots.
now when i run Test from above and pass parameter shown in Query String of Method Request i will get the following response.
Request: /searchpatents?name=fsf&test=sfsf
Response against above request
{
"name": "fsf",
"sample": "sfsf",
"controller": "awsapi",
"action": "index",
"awsapi": {
"name": "fsf",
"sample": "sfsf"
}
}
Which shows that i can use the name and sample parameter on my HTTP endpoint.
Now i have deployed this api by clicking Deploy API button and sends HTTP request via curl and by POSTMAN after exporting it from AWS stage panel, I am not receiving name and test params.
My Integration Request is as below
Making a GET request with a body is non-standard, and API Gateway is ignoring the body in a GET request. Please try to using POST/PUT for a request with a body.
Related
I have an API Gateway fronted by CloudFront. The API Gateway has a regional endpoint with api key disabled. An Authorization header must be sent to the regional endpoint or the endpoint returns "Missing Authentication Token" as expected.
Using the same request on the CloudFront endpoint returns the following 403 Forbidden error:
{
"message": "The request signature we calculated does not match the signature you
provided. Check your AWS Secret Access Key and signing method. Consult the service
documentation for details.\n\nThe Canonical String for this request should have been\n'POST
// sensitive data here...
}
The Auth token is created from an AWS signature. The signature originates from an IAM role that allows invocation on the endpoint: "Action": "execute-api:Invoke"
Any ideas on why CloudFront isn't able to use these credentials to hit the API Gateway endpoint?
In summary,
"Postman w/ Authorization header -> API Gateway endpoint" works.
"Postman w/ Authorization header -> CloudFront -> API Gateway endpoint" returns the above 403.
UPDATE: Adding information on how I obtain the signature.
IAM Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:{ACCOUNT}:{ENDPOINT}",
"Effect": "Allow"
}
]
}
AccessKey, SecretKey, Session Token are obtained in CloudShell:
$ aws sts assume-role --role-arn arn:aws:iam::{ACCOUNT}:{ROLE} --role-session-name {SESSION_NAME}
These 3 keys are then used in Postman's Authorization tab. I select "AWS Signature" type and provide the AccessKey, SecretKey, and SessionToken.
From here, I can hit the API Gateway endpoint and receive 200 response. With the same request and headers, hitting the CloudFront endpoint results in the 403.
UPDATE #2: Adding information on CloudFront configuration.
The distribution behavior for the API GW origin is using the CachingOptimized policy. Its also allowing all HTTP methods.
I have an AWS architecture like this:
An API Gateway with many endpoints. One of them is "/graphql"
The "/graphql" API Gateway endpoint points to a "/graphql" AppSync endpoint
My API Gateway uses COGNITO_USER_POOL to authentificate users. When an user makes a request to "/graphql" endpoint of API Gateway, he must to add id_token to "Authorization" header on the request. It works well.
My integration method on API Gateway gets the "Authorization" header and puts it on AppSync request using this HTTP Headers mapping:
Authorization = method.request.header.Authorization
It seems to work correctly also. Nevermind, I got this AppSync error when requesting the API Gateway endpoint:
{
"errors": [
{
"errorType": "UnauthorizedException",
"message": "Valid authorization header not provided."
}
]
}
It doesn't seems to be a token problem, because it works correctly when I request the AppSync endpoint directly (with the same Authorization header).
I observed that API Gateway adds some headers on the AppSync request, to generate a Signature. So my question is: Is there any way to do a request on AppSync from API Gateway without pass the Signature, only the id_token that user got from Cognito User Pool? I'd like to ignore IAM and use only the token (as I do when the request is done directly on AppSync from Postman).
Many thanks!
I am calling a serverless api(apigateway+lambda) from lambda from another aws account with axios, returns 403 http status with payload { message: "Forbidden" }. the get http call returns data when used in chrome
looking at the comments which say that the headers included "x-amzn-errortype: ForbiddenException", that happened for me when I had not deployed the api yet. After deploying the api, that error went away
I have following Kubernetes REST API request
GET https://theserver/api/v1/pods?includeUninitialized=true
and included following HTTP Headers in the request:
Authorization: Basic ***************
Accept: application/json, */*
User-Agent: kubectl.exe/v1.13.0 (windows/amd64) kubernetes/ddf47ac
Result is the following error
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I already tried the following:
Analog kubectl request "kubectl describe pods --all-namespaces" works fine (but I need REST)
Used "--v=12" parameter as in newkind101's comment to Kubernetes REST API to see the underlying REST API calls - looks same as mine
Read Kubernetes Documentation - but I failed to find detail information which HTTP headers or/and HTTP body values to send to authenticate properly (few thing I could retrieve from curl sample calls in that docs)
I read Access Kubernetes API using REST APIs but want to understand my issue before I use a framework like GoDaddy
kubectl seems to do a bit more than I can see with the "--v=12" parameter. This bit is likely connected to things in ".kube/config" file. Still I don't know what exactly and where to put in my HTTP request.
As far as I remember Basic authentication method is disabled by default and needs to be enabled by adding --basic-auth-file flag to the API server configuration, therefore all requests to REST API are identified as anonymous user and might be resulted in 401 Unauthorized error.
i'm trying to make a request to orion broker using REST Client, for example a NGSI10 queryContext with a payload like this one:
{
"entities": [
{
"type": "*",
"isPattern": "false",
"id": "Sevilla:01727449"
}
]
}
and I always receive the same result:
Auth-token not found in request header
The orion context broker that i´m using is fi-ware lab context broker and I want to know how to make a authorized request to this CB using REST Client, if it is possible.
Thanks
The Orion instance at FI-LAB uses OAuth authentication. Thus, you need to include a valid X-Auth-Token HTTP header in your requests to Orion.
Your application should implement OAuth and negotiate with the security framework a valid token for that. However, for debug or quick testing you can use the following shell script in order to get a fresh X-Auth-Token:
https://github.com/fgalan/oauth2-example-orion-client/blob/master/token_script.sh
The script will ask you your FI-LAB user and password.
Please, have a look to https://wiki.fi-ware.org/Publish/Subscribe_Broker_-_Orion_Context_Broker_-_User_and_Programmers_Guide#FI-LAB_context_management_platform to get more detail on Orion FI-LAB deployment.
EDIT: the recently published Orion Quick Start guide also includes an example on how to use the token_script.sh script that can be useful.