CloudFront&缺少身份验证令牌错误API网关 [英] Missing Authentication Token Error with CloudFront & API Gateway
问题描述
我已经设置了以API网关为起源之一的CloudFront发行版,并且此API网关配置了AWS IAM授权者.
I have setup a CloudFront Distribution with an API Gateway as one of the origins and this API Gateway is configured with an AWS IAM authorizer.
当使用Authorization标头调用CloudFront url时,它返回403错误.
When CloudFront url is invoked with Authorization headers, it returns a 403 error.
{
"message": "Missing Authentication Token"
}
但是,当调用API网关URL而不是使用具有相同Authorization标头的CloudFront URL时,它可以工作.
However, when the API Gateway url is invoked instead of CloudFront url with the same Authorization headers, it worked.
我也尝试了通过CloudFront url在没有任何授权者的情况下调用端点,并且它起作用了.关于如何解决此问题的任何想法.
I've also tried invoking the endpoint without any authorizer via CloudFront url and it worked. Any idea on how to solve this issue.
推荐答案
When provisioning a CloudFront distribution, remember that CloudFront removes most headers from the request by default.
这样做是为了优化缓存命中率,同时防止您的原始服务器根据那些标头基于其他标头的其他变体(或不存在)而不适用于不同请求的那些标头做出决定,然后CloudFront将从中缓存,不当.
This is done to optimize the cache hit ratio while preventing your origin server from making decisions based on those headers that would not be appropriate for different requests based on other variations (or absence) of those headers, which CloudFront would then serve from cache, inappropriately.
您需要白名单 Authorization标头,用于转发到原始位置.
You'll need to whitelist the Authorization header for forwarding to the origin.
还请注意,在您控制的CloudFront分发之后配置API网关时,您可能希望将API端点部署为 regional 而不是 edge-optimized .
Note also that when provisioning API Gateway behind a CloudFront distribution that you control, you'll probably want to deploy your API endpoint as regional and not edge-optimized.
这篇关于CloudFront&缺少身份验证令牌错误API网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
