Login/Register
Serverless Framework AWS 403 Forbidden Error with Domain Only
Asked Answered
Solved amazon-web-servicesaws-lambdaamazon-cognitoserverless-frameworkserverless-plugins
L

1

9

I am working on a serverless setup for a project and ran into a strange error. This was working fine before I had to delete my old certificates and make a new one.

In short, I am following the tutorial series at serverless-stack.com for reference, and when running the apig-test command I get the following error.

{ status: 403,
  statusText: 'Forbidden',
  data: { message: 'Forbidden' } }

This screams to me policy error. So I went to check my policy to make sure it allows execution for the AuthRole and indeed it does. I verified this in IAM section under Roles and looked my services Auth_Role that I created when I set up Cognito.

I don't want to give information overload here, but if anyone has any ideas for where to look next I would be much appreciative and I'll give any details you want to see here.

One thing I want to note is that if I run the apig-test command with the direct URL to the Lambda function instead of my domain it works perfectly fine.

This proves that nothing is wrong with my code but more a policy setting regarding how I setup the domain.

I ran sls create_domain accordingly and I see the entries in the Route53 & API Gateway and they have finished their 40 minutes many hours ago. I insured its using correct certificate since I wiped out the other one.

My custom domains have worked in the past thanks to a plugin I found and this tutorial here (https://serverless.com/blog/serverless-api-gateway-domain/), its only recently that it stopped working when I realized I needed to add some more domains to my SSL cert.

So I assume the policy error is somewhere around this but not sure where to look?

Lundquist answered 19/11, 2017 at 13:7 Comment(5)
1. Do you have an authorizer in your api gateway setup? 2. Is the route you're trying to access visible in the api gateway resources?Parlay
For #2, In custom domains in API Gateway I do see the names and they finished their provisioning a while back. The cname records are set accordingly also in Route53 to the target domain name specified.Lundquist
I'm not sure what an authorizer is in the API gateway setup? how do I check that part?Lundquist
Oh and yes under the API's I see all my routes, they definitely work because with the long super long domain name by default they give you, it works if I use that domain name with the command, it just doesn't work with my custom domains anymore for some reason.Lundquist
In my case, I just had to deploy again and it worked.Gloriagloriana
L
13

Ok I found the answer. In the API Gateway under custom domains there is a section called Base Path Mappings This MUST be set to one of your functions with the default path of / (or just enter nothing for the path) and then the destination to your lambda service. This seemed to make it work for me.

Lundquist answered 19/11, 2017 at 19:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.