Search code examples
amazon-web-servicesaws-lambdahttp-status-code-403api-keychalice

AWS: Always Getting `"message": "Forbidden"` from API Gateway for Endpoints that Require an API Key

We have deployed a Chalice app to AWS, and we are receiving the following response when calling endpoints that require an API Key:

{
    "message": "Forbidden"
}

Endpoints that don't require an API Key can be called without any issues.

What's strange is that we used to be able to call the endpoints that require an API Key without any issues, so we're also considering a Chalice or AWS update to have caused the issue.

We're using Postman are passing the API Key as a Header in the request:

x-api-key: Our API Key's Value.

We're also not getting any logs in CloudWatch, presumably because the endpoints aren't actually getting called due to the issue. AWS is blocking the request before it even reaches our endpoint.

Our API Key has been configured as follows:

API Key:

  • ID: Our key's ID.
  • Name: Our key's name.
  • API key: Our key's value.
  • Enabled: Enabled

Associated Usage Plan:

  • ID: Our plan's ID.
  • Name: Our plan's name.
  • Throttle: No throttling.
  • Quota: No quota.

The API Key and Usage Plans look properly configured, so we assume the issue is not with the API Key itself.

From the "Troubleshoot API Gateway 403 Forbidden errors" documentation:

If the API Key was invalid (or, we assume, incorrect), we would be getting the below message instead:

"Invalid API Key identifier specified"

However, we are getting the generic "Forbidden" error instead:

"Forbidden"

The documentation only lists three possible causes for this error:

  1. The request is blocked by web application firewall (WAF) filtering when AWS WAF is activated in the API.

  2. When invoking a private API from within an Amazon Virtual Private Cloud (Amazon VPC) using public DNS names, the "Host" or "x-apigw-api-id" header is missing in the request.

  3. The caller uses the default execute-api endpoint to invoke a REST API after disabling the default endpoint.

We believe that none of the above reasons apply to us due to the following:

  1. We don't have a WAF (nor Web ACL) configured in our API Gateway.

  2. We're not invoking a private API from within an Amazon VPC.

  3. We did not disable the default endpoint and are instead using the default Invoke URL.

Did we miss something, or could this be a Chalice or AWS issue?

Solution

  • We found the source of the issue.

    Apparently, the Usage Plan that our API Key was tied to was configured for another API.

    All we had to do was add our API to the Usage Plan's Associated API Stages.