CORS Request to API Gateway not working in browser
Alright, I'm ready to look very silly. I'd bet money this is a simple problem, I'm just not seeing what I am doing wrong.
I recently deployed a SAM application that sets up an API Gateway. Relevant configuration as followed
# SAM Template Headers + Some Parameters; nothing relating to this.
Resources:
# The Api Gateway necessary for the authorizers.
ApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: !Ref Stage
Cors: "'*'"
Auth:
DefaultAuthorizer: MyCognitoAuthorizer
Authorizers:
MyCognitoAuthorizer:
UserPoolArn: !ImportValue UserPoolArn
# some other functions, but one function should do it.
# Verified that all functions are referencing the custom ApiGateway resource.
PutTodosFunction:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/add.putItemHandler
Description: Adds a todo.
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref TodosTable
Environment:
Variables:
TODOS_TABLE: !Ref TodosTable
NODE_ENV: !If [isProd, 'production', 'development']
REGION: !Ref AWS::Region
Events:
PutTodo:
Type: Api
Properties:
RestApiId: !Ref ApiGateway
Path: /
Method: PUT
And here's where I feel like I'm going crazy. As you can see, my API Gateway uses AWS Cognito for authorization, so I was testing the flow using the Insomnia desktop application.
All requests work fine, so long as I remember to supply the necessary token. I figured I was golden until I started trying to make the same requests through the browser.
Now I get errors like the following when trying to make the request:
Access to fetch at 'https://xpquux202j.execute-api.us-west-2.amazonaws.com/alpha/' from origin 'https://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
The code calling this has gone through some iterations, but the most recent is:
const headers = new Headers();
headers.append('Authorization', 'Bearer <JWT Token Goes Here>');
fetch(API_URL, {
headers,
method: 'options', // have tried put/get as well. Neither goes through.
mode: 'cors' // tried cors and no-cors
})
.then(console.log)
.catch(console.log);
Originally with the error I thought something on the API Gateway side was misconfigured, but making an OPTIONS request to the endpoint (in Insomnia) gives:
And testing it in 
TYIA for any help; I'm sure it's something small that I'm missing I'm sort of tired of trying to figure this out.
Alright so the original question is resolved... sort of.
Tl;Dr you can use the AddDefaultAuthorizerToCorsPreflight option in the Auth key of the AWS::Serverless::Api call, e.g.
ApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: !Ref Stage
Cors: "'*'"
Auth:
DefaultAuthorizer: MyCognitoAuthorizer
AddDefaultAuthorizerToCorsPreflight: false
Authorizers:
MyCognitoAuthorizer:
UserPoolArn: !ImportValue UserPoolArn
however, this creates another CORS related issue. When you create the API Gateway with this setup the OPTIONS request does not have the Access-Control-Allow-Headers header in its response. I'm still waiting to hear back from the AWS Sam team about it on the Github issue here: https://github.com/aws/serverless-application-model/issues/2136#issuecomment-915708356
So far the work around is to simply enable CORS from the console, which will then have the necessary Authorization headers. Obviously not great, but also not particularly game breaking either.
Update
After some digging, I've found that making these changes gets the API Gateway to deploy with no errors. The CORS section needs to look like this in the ApiGateway resource.
ApiGateway:
Type: AWS::Serverless::Api
Properties:
StageName: !Ref Stage
Cors:
AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
AllowMethods: "'*'"
AllowOrigin: "'*'"
# same Auth: definition as above.
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- Is there any API available for AWS Pricing Calculator
- Append data to an S3 object
- How to handle UnprocessedItems using AWS JavaScript SDK (dynamoDB)?
- How to configure AWS Application Load Balancer to point to multiple ports on the same server
- How to query AWS DynamoDb using GSI Index and FilterExpression
- How to make MSCK REPAIR TABLE execute automatically in AWS Athena
- How to add 'Super' privileges to the Aurora database?
- AWS Elasticache -- How to flush node from console?
- Delete Files when using CloudFront
- zsh: parse error near `\n' when Adding AWS keys as environment variables
- How do I execute a BatchWriteCommand from Lambda to DynamoDB using the @aws-sdk/lib-dynamodb package?
- AWS Deployment Failed due to "HEALTH_CONSTRAINTS"
- Connection between SSO Permission Set and IAM Role
- Creating IAM user via terraform and upload the secret key and access key in S3 bucket
- Is it possible to share Parameter Store keys in another AWS Account for same region?
- pySpark Hadoop AWS s3 requester-pays.enabled config doesn't work
- Sagemaker SDK on lambda function
- How can I deserialize the incoming AWS Lambda request into a lombok @Value or @Data class?
- Tagging s3 in AWS
- Use AWS services without an AWS account
- how to pass environment variables to an aws batch job definition
- Calculate MD5 from AWS S3 ETag
- AWS S3 and AWS storage gateway
- I want to use boto3 in async function, python
- How to tag Images output by AWS Image Builder Pipeline to include the Image in a Lifecycle Policy
- DynamoDB - Key element does not match the schema
- How to upgrade AWS CLI to the latest version?
- Using Github Relase .zip file for Lambda Function
- Install zip module on php 8.2 amazon linux elastic beanstalk