Menu
I'm using Amplify, and have my API Gateway proxying to Lambda. I've enabled CORS on my /{proxy+} and deployed the API. In my Lambda function, I'm setting the appropriate header in my trivial function:
import json
def handler(event, context):
print("received event:")
print(event)
return {
"statusCode": 200,
"headers": {
"Access-Control-Allow-Credentials": True,
"Access-Control-Allow-Headers": "Content-Type",
"Access-Control-Allow-Methods": "OPTIONS,POST,GET",
"Access-Control-Allow-Origin": "*",
},
"body": json.dumps(event),
}
This Lambda function sits behind an API Gateway resource which is authenticated via Cognito.
When I invoke my API using Amplify:
let myInit = {
headers: {
Authorization: `Bearer ${(await Auth.currentSession())
.getIdToken()
.getJwtToken()}`
}
};
API.get("adminapi", "/admin", myInit) ...
I get the dreaded CORS header 'Access-Control-Allow-Origin' missing from my GET request:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/dev/admin. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I see it returned in the OPTIONS request:
I even tested in Postman to verify the headers are coming back:
What am I doing wrong here? It doesn't look like the call is getting past API Gateway. I wonder if it has to do with authentication. When I test from Postman using my IAM credentials it works fine, but from my web app using the bearer token it fails as above.
287
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.
To enable CORS for the Lambda proxy integration, you must add Access-Control-Allow-Origin: domain-name to the output headers . domain-name can be * for any domain name. The output body is marshalled to the frontend as the method response payload.
I've just struggled with something similar. The question here asks why the browser is returning a CORS errors when hitting API Gateway with Amplify despite CORS headers being configured correctly in the endpoint.
Aside from incorrect CORS header config, Amplify / API Gateway gives a CORS error if certain aspects of the request are incorrect. The ones I've comes across are:
The latter was causing me issues. It seems that Amplify.API.post and Amplify.API.put both send a Content-Type of application/x-www-form-urlencoded by default. My API was expecting application/json and the result was a CORS error.
108
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
