Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to debug "Missing Authentication Token" in AWS API Gateway?

I have an API Gateway resource that is proxied to an AWS Lambda function. This worked fine for passing through trailing path parameters (/periodicals/{tail+}), but as I wanted those parameters to be optional, I also added an ANY method to the higher resource (/periodicals):

This works fine when testing that method from within the AWS Console. Directly performing a request on that resource from my browser, however, results in the following response:

{"message":"Missing Authentication Token"}

With this header:

x-amzn-errortype: MissingAuthenticationTokenException

It also had an x-cache header with the value Error from cloudfront, so I guess it might have something to do with CloudFront. I haven't set up CloudFront explicitly though, and don't really know how to check?

I think I read every thread on this error message, but none of them seem to apply to me:

  • No authorization is required for my method:
  • I'm quite sure the URL is correct. When I visit /periodicals/whatever (i.e. the {tail+} resource) in my browser it works fine, but not so for /periodicals.
  • CORS is enabled, as both resources are pointing to the same Lambda function which handles CORS and works for the subpath.
  • The HTTP verb should not matter, as it's listening for ANY.
  • The result is the same whether I add a trailing slash or not.
  • The API is deployed.
  • I think the API resource has sufficient permissions on my Lambda function, as I can successfully execute it from the AWS Console:

One interesting observation, thanks to @Lakindu, is that no methods are listed below the resource in the Stages view:

Anything else I can do to find out what's going wrong?

like image 778
Vincent Avatar asked Sep 06 '17 10:09

Vincent


1 Answers

I found out what was going on:

My API was deployed using TerraForm. In TerraForm, one of the resources you specify is an API Gateway Deployment. I figured it would redeploy the API if any of the resources it depended on (which included the /periodicals resource) would change.

Alas, I now think that I would have to update its state_description in order to force a new deployment. The advantage of this is that you can update the configuration without affecting API users, but it does mean that you explicitly need to perform an action when you want to deploy the updated configuration.

Hope this helps anyone.

tl;dr As opposed to what I thought, the API had not actually been deployed after the method was added. (You can do so manually in the AWS API Gateway console by selecting "Deploy API" in the "Actions" drop-down.

like image 103
Vincent Avatar answered Sep 29 '22 20:09

Vincent