AWS API Gateway - lambda integration missing authorization header

Question

My API includes various GET, POST and DELETE endpoints set up in AWS API Gateway. Each endpoint is integrated with Lambda and calls its own Lambda python function.

I have set up authorization manually (not through AWS authorizers): I call the endpoints with a bearer token in the "Authorization" header, and the Lambda functions access event["headers"]["Authorization"] to obtain the token. This works fine for POST and DELETE endpoints. However, when calling GET endpoints, the "Authorization" header is missing from the event["headers"] object (only other headers added by AWS are present).

I have tried calling the GET endpoints through various methods. Also worth mentioning that this is not a case sensitivity issue - the token I provide is not found anywhere in the events object.

All my endpoints are configured like this in API Gateway:

• Method Request:

• Integration Request:

Does API Gateway or Lambda remove the "Authorization" automatically for GET calls?

Answer 1

As you've mentioned that you use CloudFront in front of your API gateway, I believe I know what the problem is.

By default, CloudFront strips away params and headers from the request before forwarding it to origin. You need to modify your cache behaviour to forward the Authorization header to origin.

Go to your CloudFront distribution, and edit the behaviour for that distribution. Then, scroll down to 'Cache key and origin requests'.

You need to create a new cache policy that forwards the Authorization header, like so: