1

My API includes various GET, POST and DELETE endpoints set up in AWS API Gateway. Each endpoint is integrated with Lambda and calls its own Lambda python function.

I have set up authorization manually (not through AWS authorizers): I call the endpoints with a bearer token in the "Authorization" header, and the Lambda functions access event["headers"]["Authorization"] to obtain the token. This works fine for POST and DELETE endpoints. However, when calling GET endpoints, the "Authorization" header is missing from the event["headers"] object (only other headers added by AWS are present).

I have tried calling the GET endpoints through various methods. Also worth mentioning that this is not a case sensitivity issue - the token I provide is not found anywhere in the events object.

All my endpoints are configured like this in API Gateway:

  • Method Request:

api gateway screenshot

  • Integration Request:

api gateway screenshot

Does API Gateway or Lambda remove the "Authorization" automatically for GET calls?

Improve this question
3
  • Are you using CloudFront in front of the API gateway? Commented Jan 31, 2023 at 6:40
  • Yes, I'm using CloudFront. I definitely should have mentioned that. My "behavior" is not set up with any "Response headers policy" at the moment. Commented Jan 31, 2023 at 16:10
  • 1
    CloudFront strips away headers for GET request unless you specify to forward them. It's under the Cache key and origin requests under Behavior option. You should create a custom cache policy to include the Authorization header. Commented Feb 1, 2023 at 3:10

1 Answer 1

Reset to default
1

As you've mentioned that you use CloudFront in front of your API gateway, I believe I know what the problem is.

By default, CloudFront strips away params and headers from the request before forwarding it to origin. You need to modify your cache behaviour to forward the Authorization header to origin.

Go to your CloudFront distribution, and edit the behaviour for that distribution. Then, scroll down to 'Cache key and origin requests'.

enter image description here

You need to create a new cache policy that forwards the Authorization header, like so:

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you! That worked, although I am still confused about why this was necessary for GET requests and not POST, PUT and DELETE requests.
Because only GET and HEAD requests are cached

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.