Learn how to troubleshoot and resolve 403 status code errors when using Amazon API Gateway with a Cognito authorizer for authentication. The solution involves modifying the client GET request Authorization header.
Table of Contents
Question
A developer is troubleshooting an application. The application includes several AWS Lambda functions that invoke an Amazon API Gateway API. The API Gateway’s method request is set up to use an Amazon Cognito authorizer for authentication.
All the Lambda functions pass the user ID as part of the Authorization header to the API Gateway API. The API Gateway API returns a 403 status code for all GET requests.
How should the developer resolve this issue?
A. Modify the client GET request to include a valid API key in the Authorization header.
B. Modify the client GET request to include a valid token in the Authorization header.
C. Update the resource policy for the API Gateway API to allow the execute-api:Invoke action.
D. Modify the client to send an OPTIONS preflight request before the GET request.
Answer
B. Modify the client GET request to include a valid token in the Authorization header.
Explanation
If an Amazon API Gateway API is returning 403 status codes for all GET requests when using an Amazon Cognito authorizer, the issue is likely due to an invalid or missing token in the Authorization header of the client request.
To resolve this, the correct solution is B: Modify the client GET request to include a valid token in the Authorization header.
When an API Gateway method is configured to use a Cognito authorizer, the client must include a valid JWT access token from the Cognito user pool in the Authorization header of the HTTP request. The authorizer validates the token and allows or denies access to the API method.
If the token is missing, invalid, or expired, the authorizer will deny access and API Gateway will return a 403 Forbidden error. Therefore, the developer needs to ensure the client is obtaining a valid access token from Cognito (by authenticating the user) and including that token in the Authorization header when making requests to the protected API Gateway endpoints.
The other options are incorrect because:
A) API keys are not used with Cognito authorizers, so including an API key will not help.
C) The resource policy is for controlling access to the API from other AWS services or accounts, not for authentication/authorization of client requests.
D) OPTIONS preflight requests are used with CORS to check if the actual request is safe to send, but are not directly related to the 403 authorization issue here.
So in summary, the developer should modify their client application to obtain a valid JWT access token from Cognito and include it in the Authorization header of the GET requests to the API Gateway API. This will allow the Cognito authorizer to properly authenticate and authorize the requests.
Amazon AWS Certified Developer – Associate DVA-C02 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Developer – Associate DVA-C02 exam and earn Amazon AWS Certified Developer – Associate DVA-C02 certification.