[amazon-web-services] Missing Authentication Token while accessing API Gateway?

I am trying to call a Lambda Function through AWS API Gateway. When I mention Authentication type NONE it works fine but API become public and anyone with url can access my API. To make API call secure, I am using Authentication type AWS_IAM and also attached AmazonAPIGatewayInvokeFullAccess policy to my user but getting this error:

{ message: "Missing Authentication Token"}

I don't know what I am missing here.

This question is related to amazon-web-services aws-api-gateway

The answer is

For the record, if you wouldn't be using credentials, this error also shows when you are setting the request validator in your POST/PUT method to "validate body, query string parameters and HEADERS", or the other option "validate query string parameters and HEADERS"....in that case it will look for the credentials on the header and reject the request. To sum it up, if you don't intend to send credentials and want to keep it open you should not set that option in request validator(set it to either NONE or to validate body)

If you enable AWS_IAM authentication you must sign your request with AWS credentials using AWS Signature Version 4.

Note: signing into the AWS console does not automatically sign your browser's requests to your API.

Found this in the docs:

If the AWS_IAM authorization were used, you would sign the request using the Signature Version 4 protocols.

Signing request with Signature Version 4

You can also generate an SDK for your API.

How to generate an SDK for an API in API Gateway

Once you've generated the SDK for the platform of your choice, step 6 mentions that if you're using AWS credentials, the request to the API will be signed:

  1. To initialize the API Gateway-generated SDK with AWS credentials, use code similar to the following. If you use AWS credentials, all requests to the API will be signed. This means you must set the appropriate CORS Accept headers for each request:

    var apigClient = apigClientFactory.newClient({
      accessKey: 'ACCESS_KEY',
      secretKey: 'SECRET_KEY',

Well for anyone still having the problem and I really feel very dumb after realizing this, but I passed in the url of /items the default one while adding API. But I kept calling the endpoint with /api. Special thanks to Carlos Alberto Schneider, as I realized my problem after reading your post.

Make sure you are clicking on the specific Resource first in the Stages tree, as that will populate a URL with the full path to the resource (rather than just the root path): enter image description here

For other causes, see http://www.awslessons.com/2017/aws-api-gateway-missing-authentication-token/

I try all the above, if you did all steps in the above answers, and you not solve the problem, then:

  1. on the left menu, hit the "Resources"
  2. in the right to "Resources", hit the api method that you want to test, like "POST/GET etc)
  3. hit the "ACTION" list (it's above to the API method in step 2
  4. select "DEPLOY API" (please do it, even you already deploy yours api)
  5. in "deployment stage" select "prod" or what ever you write in yours previous deploy (it will override yours previous deploy
  6. hit deploy

I thing that because of, when I create the "METHOD REQUEST" (see step 2 how to go to this menu) , in "Authorization" I select "AWS_IAM" after testing api, in aws test option, I try it in "postman" then I understand the in "METHOD REQUEST" , in "Authorization", I should select "none"

I change it to none, but I thing the AWS, need to deploy it again, as I explain

If you set up an IAM role for your server that has the AmazonAPIGatewayInvokeFullAccess permission, you still need to pass headers on each request. You can do this in python with the aws-requests-auth library like so:

import requests
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth
auth = BotoAWSRequestsAuth(
response = requests.get("https://API_ID.execute-api.us-east-1.amazonaws.com/STAGE/RESOURCE", auth=auth)

Make sure you create Resource and then create method inside it. That was the issue for me. Thanks

enter image description here

This error mostly come when you call wrong api end point. Check your api end point that you are calling and verify this on api gateway.

I just had the same issue and it seems it also shows this message if the resource cannot be found.

In my case I had updated the API, but forgotten to redeploy. The issue was resolved after deploying the updated API to my stage.

Looks like (as of April 2019) AWS API Gateway throws this exception for a variety of reasons - mostly when you are hitting an endpoint that API Gateway is not able to reach, either because it is not deployed, or also in cases where that particular HTTP method is not supported.

I wish the gateway sends more appropriate error codes like HTTP 405 Method not supported or HTTP 404 not found, instead of a generic HTTP 403 Forbidden.

To contribute:

I had a similar error because my return response did not contain the 'body' like this:

return { 'statusCode': 200, 'body': "must contain the body tag if you replace it won't work" }

First of all, check whether the API you created in the lamda function is registered with your AWS project or not. For that, go to the API gateway in your AWS console. If it is not registered, register it. This is the main cause of this issue.

You can even see in your aws.export.js file, that there are paths corresponding to your API ['/items'].

Your API must be present there, otherwise it will not append the security token to requests. Just register it in your project cloud-logic in your console for this.

If it's there, then use the above mentioned solution

sometimes this message shown when you are calling a wrong api

check your api endpoint

I had the same problem which I solved the following way:

GET Method test

Authorization tab -> 
•   select type(AWS signature)
•   Add AccessKey and SecretKey

I've lost some time for a silly reason:

When you create a stage, the link displayed does not contain the resource part of the URL:

API URL: https://1111.execute-api.us-east-1.amazonaws.com/dev

API + RESOURCE URL https://1111.execute-api.us-east-1.amazonaws.com/dev/get-list

The /get-list was missing

And of course, you need to check that the method configuration looks like this:

enter image description here

In my case it was quite a stupid thing. I've get used that new entities are created using POST and it was failing with "Missing Authentication Token". I've missed that for some reason it was defined as PUT which is working fine.

If you are using an API with endpoint of type PRIVATE, be sure of:

  1. You are invoking the API from within your AWS account (example: from an EC2 instance created in your account)

  2. Put necessary credential (access and secret keys) in the EC2 instance in route ~/.aws/credentials (this route is for linux instances) If IAM user use MFA aws_session_token value will be required too.

  3. Use vpce (vpc endpoint) based URL. Example: curl https://vpce-0c0471b7test-jkznizi5.execute-api.us-east-1.vpce.amazonaws.com/dev/api/v1/status

  4. Your EC2 instance have a security group than allow outbound traffic to another security group owned by the vpce like: EC2 instance sg

  5. Your vpce security group allow inbound traffic from another security group (previous sg from ec2 instance) owned by the EC2 instance like: vpce sg

See: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html