1

I'm using AWS CDK to create an APIGateway. I want to attach a custom domain to my api so I can use api.findtechjobs.io. In the console, I can see I have a custom domain attached, however I always get a 403 response when using my custom domain.

Below is the following AWS CDK Stack I am using to create my API Gateway attached with a single lambda function.

AWS CDK deploys well, however, when I attempt to make a POST request to https://api.findtechjobs.io/search AWS returns a 403 Forbidden response. I don't have a VPC, WAF, or an API key for this endpoint.

I am very uncertain why my custom domain is returning a 403 response. I have been reading a lot of documentation, and used answers from other questions and I still can't figure out what I am doing wrong.

How can I associate api.findtechjobs.io to my API Gateway well using AWS CDK?



export class HostingStack extends cdk.Stack {

    constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
        super(scope, id, props)


        const zonefindtechjobsio = route53.HostedZone.fromLookup(this, 'findtechjobs.io', {
            domainName: 'findtechjobs.io'
        });
    
        const certificate = new acm.Certificate(this, 'APICertificate', {
            domainName: 'findtechjobs.io',
            subjectAlternativeNames: ['api.findtechjobs.io'],
            validation: acm.CertificateValidation.fromDns(zonefindtechjobsio),
        });

        const api = this.buildAPI(certificate)

        new route53.ARecord( this, "AliasRecord api.findtechjobs.io", {
            zone: zonefindtechjobsio,
            recordName:  `api`,
            target: route53.RecordTarget.fromAlias(new route53targets.ApiGateway(api)),
        });
    }

    private buildAPI(certificate: acm.Certificate) {
                // API
        const api = new apigateway.RestApi(this, "techjobapi", {
            domainName: {
                domainName: 'findtechjobs.io',
                certificate: certificate
            },
            
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS, // TODO limit this when you go to prod
            },
            deploy: true,
            deployOptions: {
                stageName: 'dev',
            },
            endpointTypes: [apigateway.EndpointType.REGIONAL]
        });    
        
        const searchResource = api.root.addResource("search", {
            defaultMethodOptions: {
                operationName: "Search",
            },
        });

        searchResource.addMethod(
            "POST",
            new apigateway.LambdaIntegration(new lambda.Function(this, "SearchLambda", {
                runtime: lambda.Runtime.GO_1_X,
                handler: "main",
                code: lambda.Code.fromAsset(path.resolve("..", "search", "main.zip")),
                environment: {
                    DB_NAME: "...",
                    DB_CONNECTION:"...",
                },
            })),
            {
                operationName: "search",
            }
        );

        return api;

    }

    
}
Alex Fallenstedt
  • 2,040
  • 1
  • 18
  • 34
  • 2
    forbidden usually means that issue is with your api gateway setup, not only domain. Did you verify if it works with aws default api domain? – Marcin Aug 28 '21 at 22:40
  • The default (API Gateway domain name) also returns the same Forbidden response. However, my dev stage(https://1xp9g8qbvj.execute-api.us-west-2.amazonaws.com/dev/search) works fine. I feel like you are right. There is something odd with my api gateway setup. There is a problem between my 'dev' environment and the domain. – Alex Fallenstedt Aug 28 '21 at 23:23
  • 2
    @Marcin and anyone else that stumbles across this. If you are using and edge optimized API Gateway, your certificate must be in us-east-1. I discovered this issue here: https://aws.amazon.com/premiumsupport/knowledge-center/custom-domain-name-amazon-api-gateway/ – Alex Fallenstedt Aug 29 '21 at 04:34
  • 1
    I even didn't know you can associate ssl cert not in us-east-1 with the api gateway. So you were actually able to associate cert from different regions and api gateway or cdk did not complain? – Marcin Aug 29 '21 at 04:38
  • CDK never complained. The AWS Console never complained. I am in the process of moving this whole project to us-east-1. I will post an update here, followed by an answer, when it is complete. – Alex Fallenstedt Aug 29 '21 at 05:04

1 Answers1

0

Same problem. After some struggle. I found out that the problem may lay in the DNS. Cause my domain was transferred from another registrar. The name server is not changed. After I change them to AWS dns it worked. But I can't 100% sure.
And I found out that the default API gateway domain(d-lb4byzxxx.execute-api.ap-east-1.amazonaws.com ) is always in 403 forbidden state.

user162856
  • 1
  • 1