Making calls to AWS api gateway endpoint with api key using rest client POSTMAN

Question

We are developing a mobile/web app for which we are using aws lambda and dynamo db as our backend.The standalone lambda functions are working perfectly. The calls are being routed via api gateway. We are using api keys to leverage the security features that it provides. For some testing purposes, we are trying to call the api end point through a third party rest client POSTMAN.

The requests are of POST type but no matter what we try, we get

403 ("message": "Missing authentication token.")

A snapshot is attached for reference. ( few portions are shaded for security reasons )

1. We are unable to fathom the root cause for the behaviour.
2. if the same can be achieved with some other tool then please suggest.

Answer 1

From working with AWS API Gateway I have fell into the same trap as it seems you have. There are two things that can cause the infamous 403 ("message": "Missing authentication token.") message to be displayed:

1. CloudFront's aggressive caching

I notice that you are using CloudFront to cache your API request/responses. CloudFront is a great tool — one of the best caching mechanisms if you ask me — but when caching things during development, it's really easy to get caught up with cached error messages. This may be the case here, so my advice is to remove the API from CloudFront until you have got it fully working.

2. Forgetting to re-deploy

One of the major features of API Gateway is the way AWS handles multiple versions of APIs. Once deployed, you can be safe in the knowledge that your API endpoints will not change — exactly what you want from an API endpoint.

This is due to the way that endpoints are deployed. Each change that is made in the AWS console has to be deployed to a specific deployment in order to be interacted with live.

For instance, if I deploy my API to the "live" deployment and everything works well, that's great. I can now continue to tweak settings in the AWS console to improve the API over time, and when I'm happy with what I've changed I can deploy again to another API deployment, meaning that current API users will not have to change their interaction methods until a deployment is made back onto the deployment they are working on.

The problem you may be experiencing is that even though you have made lots of changes in the AWS console, you may not have re-deployed to the deployment that you are testing in Postman.

Sidenote:

In the Resource editor panel, you can provide information about this method's response types, their headers and content types. Here it is possible to provide more meaningful error messages to your endpoints.