Missing Authentication Token while accessing API Gateway

Question

I am trying to call a Lambda Function through AWS API Gateway   When I mention Authentication type NONE it works fine but API become public and anyone with url can access my API  To make API call secure  I am using Authentication type AWS IAM and  also attached AmazonAPIGatewayInvokeFullAccess policy to my user but getting this error     message   Missing Authentication Token     I don t know what I am missing here

User · Answer

If you are using an API with endpoint of type PRIVATE, be sure of:

You are invoking the API from within your AWS account (example: from an EC2 instance created in your account)
Put necessary credential (access and secret keys) in the EC2 instance in route ~/.aws/credentials (this route is for linux instances) If IAM user use MFA aws_session_token value will be required too.
Use vpce (vpc endpoint) based URL. Example: curl https://vpce-0c0471b7test-jkznizi5.execute-api.us-east-1.vpce.amazonaws.com/dev/api/v1/status
Your EC2 instance have a security group than allow outbound traffic to another security group owned by the vpce like:
Your vpce security group allow inbound traffic from another security group (previous sg from ec2 instance) owned by the EC2 instance like:

See: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

User · Answer

This error mostly come when you call wrong api end point  Check your api end point that you are calling and verify this on api gateway

User · Answer

I just had the same issue and it seems it also shows this message if the resource cannot be found   In my case I had updated the API  but forgotten to redeploy  The issue was resolved after deploying the updated API to my stage

User · Answer

First of all  check whether the API you created in the lamda function is registered with your AWS project or not  For that  go to the API gateway in your AWS console  If it is not registered  register it  This is the main cause of this issue    You can even see in your aws export js file  that there are paths corresponding to your API    items      Your API must be present there  otherwise it will not append the security token to requests  Just register it in your project cloud-logic in your console for this   If it s there  then use the above mentioned solution http   docs aws amazon com apigateway latest developerguide how-to-use-postman-to-call-api html

User · Answer

I think you are directly trying to access API link  this won t work because API is secured using IAM role and you must provide AWS authentication i e Access key and Secret key   Use the Postman Chrome extension to test your API  http   docs aws amazon com apigateway latest developerguide how-to-use-postman-to-call-api html

User · Answer

To contribute  I had a similar error because my return response did not contain the  body  like this  return    statusCode   200   body    quot must contain the body tag if you replace it won t work quot

User · Answer

Make sure you create Resource and then create method inside it  That was the issue for me  Thanks

User · Answer

sometimes this message shown when you are calling a wrong api  check your api endpoint

User · Answer

Looks like  as of April 2019  AWS API Gateway throws this exception for a variety of reasons - mostly when you are hitting an endpoint that API Gateway is not able to reach  either because it is not deployed  or also in cases where that particular HTTP method is not supported   I wish the gateway sends more appropriate error codes like HTTP 405 Method not supported or HTTP 404 not found  instead of a generic HTTP 403 Forbidden

User · Answer

If you enable AWS IAM authentication you must sign your request with AWS credentials using AWS Signature Version 4    Note  signing into the AWS console does not automatically sign your browser s requests to your API

User · Answer

In my case it was quite a stupid thing  I ve get used that new entities are created using POST and it was failing with  quot Missing Authentication Token quot   I ve missed that for some reason it was defined as PUT which is working fine

User · Answer

Make sure you are clicking on the specific Resource first in the Stages tree  as that will populate a URL with the full path to the resource  rather than just the root path     For other causes  see http   www awslessons com 2017 aws-api-gateway-missing-authentication-token

User · Answer

I ve lost some time for a silly reason   When you create a stage  the link displayed does not contain the resource part of the URL   API URL  https   1111 execute-api us-east-1 amazonaws com dev  API   RESOURCE URL https   1111 execute-api us-east-1 amazonaws com dev get-list  The  get-list was missing  And of course  you need to check that the method configuration looks like this

User · Answer

I had the same problem which I solved the following way  GET Method test https   54wtstq8d2 execute-api ap-southeast-2 amazonaws com dev echo hello  Authorization tab - gt         select type AWS signature        Add AccessKey and SecretKey

User · Answer

I try all the above  if you did all steps in the above answers  and you not solve the problem  then   on the left menu  hit the  quot Resources quot  in the right to  quot Resources quot   hit the api method that you want to test  like  quot POST GET etc  hit the  quot ACTION quot  list  it s above to the API method in step 2 select  quot DEPLOY API quot   please do it  even you already deploy yours api  in  quot deployment stage quot  select  quot prod quot  or what ever you write in yours previous deploy  it will override yours previous deploy hit deploy  I thing that because of  when I create the  quot METHOD REQUEST quot   see step 2 how to go to this menu    in  quot Authorization quot  I select  quot AWS IAM quot  after testing api  in aws test option  I try it in  quot postman quot  then I understand the in  quot METHOD REQUEST quot    in  quot Authorization quot   I should select  quot none quot  I change it to none  but I thing the AWS  need to deploy it again  as I explain

User · Answer

If you set up an IAM role for your server that has the AmazonAPIGatewayInvokeFullAccess permission  you still need to pass headers on each request   You can do this in python with the aws-requests-auth library like so  import requests from aws requests auth boto utils import BotoAWSRequestsAuth auth   BotoAWSRequestsAuth      aws host  quot API ID execute-api us-east-1 amazonaws com quot       aws region  quot us-east-1 quot       aws service  quot execute-api quot    response   requests get  quot https   API ID execute-api us-east-1 amazonaws com STAGE RESOURCE quot   auth auth

User · Answer

Well for anyone still having the problem and I really feel very dumb after realizing this  but I passed in the url of  items the default one while adding API  But I kept calling the endpoint with  api  Special thanks to Carlos Alberto Schneider  as I realized my problem after reading your post

User · Answer

For the record  if you wouldn t be using credentials  this error also shows when you are setting the request validator in your POST PUT method to  validate body  query string parameters and HEADERS   or the other option  validate query string parameters and HEADERS     in that case it will look for the credentials on the header and reject the request  To sum it up  if you don t intend to send credentials and want to keep it open you should not set that option in request validator set it to either NONE or to validate body

User · Answer

Found this in the docs    If the AWS IAM authorization were used  you would sign the request using the Signature Version 4 protocols    Signing request with Signature Version 4    You can also generate an SDK for your API    How to generate an SDK for an API in API Gateway  Once you ve generated the SDK for the platform of your choice  step 6 mentions that if you re using AWS credentials  the request to the API will be signed    To initialize the API Gateway-generated SDK with AWS credentials  use code similar to the following  If you use AWS credentials  all requests to the API will be signed  This means you must set the appropriate CORS Accept headers for each request   var apigClient   apigClientFactory newClient     accessKey   ACCESS KEY     secretKey   SECRET KEY

[amazon-web-services] Missing Authentication Token while accessing API Gateway?

Examples related to amazon-web-services

Examples related to aws-api-gateway