Receive Message: Denied Response from AWS API Gateway

If you set the Required API Key parameter to True, check below.

• you need to pass the x-api-key HTTP header to the Gateway API.
• It was necessary to create an API key.
• In addition, you need to check the API Key Usage Plan in the API Gateway console.

I had a similar problem and I had the following:

• User Domain (Edge Optimized)
• Several stages (dev, staging, prod)

I also did not set any authority or restrictions to make things simple.

I managed to fix the problem by adding base path mappings for each of my steps (dev, staging, prod).

If the Authorization method and API KEY Required for the method are set to true, then when sending the request, make sure that you have the following headers:

• Content-Type (usually application / x-www-form-urlencoded if a GET call)
• Host
• X-amz-date
• Resolution
• x-api key

I use POSTMAN to test the API, which is fairly robust, and then directs it straight ahead.

Note. Do not add the x-api key header if you set API KEY Required FALSE. And if you set Authorization to FALSE, do not add the authorization header.

If the 'API' key needs to be set to true, you must pass the API key as a header.

The API key is passed as the header field "x-api-key". Even after adding this field to the header, this problem may occur. In this case, please confirm the points below.

• Do you have a usage plan? if you do not need to create it.
• Associate your API with the Usage Plan. To do this, add a stage, it will bind your API.
• Do you have an API Key? if not, you need to create an API key and enable it.
• Add the usage plan associated with your API to this API key. To do this, add a usage plan.

I got this error from the nginx fargate service trying to access a private API in the Gateway API. I needed to add a policy under resource policies in my API like this

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:us-east-1:<AccountID>:<RestApiID>/*", "Condition": { "StringEquals": { "aws:sourceVpce": "<VPC Endpoint ID for execute-api>" } } } ] } 

This may not be obvious, but another reason for the “Forbidden” error when using the AWS API Gateway may be an incorrect URL that does not match any of the API methods deployed. This can happen if you actually clicked the wrong URL (for example, instead of calling https://9999xx9x99.execute-api.us-east-1.amazonaws.com/dev/users (note the dev step before users ), which you called https://9999xx9x99.execute-api.us-east-1.amazonaws.com/users (without a step). You expect to get 404, but you will get 403.

By the way, after you perform the deployment on https://9999xx9x99.execute-api.us-east-1.amazonaws.com/dev/users call https://9999xx9x99.execute-api.us-east-1.amazonaws.com/user (note the single noun form here), you will also receive ... 403, but with the message "Missing Authentication Token"!

Local firewall / antivirus or NGIPS ( Cisco Bluecoat ). The latter was my case when I would not even get the logs to CloudWatch from my API. It allowed my website hosted on the top-level domain, but blocked using the 403 api subdomains, but there was no body on the dev-tools tab in the browser.

There are a few things to do when we receive the {message: forbidden} in the API gateway:

Is CORS enabled?

1. Check if CORS is included in the API (first, enable the source '*' so that we can safely test)
2. Expand the API to make sure all settings are as expected.

Is the API key included?

3. Check if the API key is enabled in the API gateway
4. Check if the API key is configured.
5. Check if your API key is assigned for the correct usage plan, and add an API stage, without an API stage you will always receive {message: forbidden}

If you're still having problems, let me know so that I or one of our cloud gurus @levarne can help.

We encountered this problem in our production when we used Kong as an API gateway. Our requests went through when they were initiated from the Postman, but were not fulfilled since 403 when they were initiated through the Code. Kong plugin was included, which allowed only requests initiated from a browser or mobile application based on the value of the user agent header. Our requests initiated through the Http Client were not completed. After we disabled the bot plugin, an error did not occur. Now it allows you to query whether the user agent is Apache-HttpClient / 4.5.2 (Java / 1.8.0_91).

I may have been late, but one of the reasons the API gateway can display "forbidden" messages is when you pass in the request body for the GET operation. To solve the problem, either make a POST of your resource, or you will not pass the data to the request body.

You need to deploy your API at the stage and use the URL of the stage, go to the Resources section, click Actions and select the Deploy API.

Now if you get an error

{"Message": "Forbidden"}.

Please check the following steps

1) If you enabled copying the API key and transferred your key to the postman

2) Now you are still getting the same error means that you will need to create a usage plan

3) set a limit and assign a plan for your API

I received {"message":"Forbidden"} in the API with the EndpointConfiguration set to PRIVATE, and a VpcEndpoint was created for it on the private Vpc subnets (this is an interservice API)

I got {"message":"Forbidden"} the reason that I got the impression that I should use one of the VpcEndpoint URLs. The URL used is still the one associated with the scene (in the ApiGateway console). It:

https://${RestApiId}.execute-api.${Region}.amazonaws.com/${StageName}