1

I'm trying to execute API calls from ReactNative AWS Amplify to API Gateway endpoint using AWS_IAM authorization.

I do it by calling (all Amplify initialization params are set):

import { API, Auth } from "aws-amplify";
...


API.get("MyApiName", "/resource")
  .then(resp => { ... })
  .catch(e => console.log(JSON.stringify(e));

I have console printout like:

{
  "message":"Request failed with status code 403",
  "name":"Error",
  "stack": "...",
  "headers":{
    "Accept":"application/json, text/plain, */*",
    "User-Agent":"aws-amplify/3.8.23 react-native",
    "x-amz-date":"20210908T172556Z",
    "X-Amz-Security-Token":"IQoJb3...",
    "Authorization":"AWS4-HMAC-SHA256 Credential=ASIA23GCUWEDETN632PS/20210908/us-east-1/execute-api/aws4_request, SignedHeaders=host;user-agent;x-amz-date;x-amz-security-token, Signature=2a06fb4d8eb672164bfd736790fb1658edef1240d12a38afb599a9e33020c3cd"
    ...
}

So, it looks like the request is Signed!

I use Cognito User Pool and appropriate Identity Pool. They both are set properly, becuase these settings work with successfull authorization access to S3 storage using AWS Amplify S3.

Authenticated role for Cognito Identity Pool has permission to for ExecuteApi to invoke the API resource method. Also, it has permission to invoce the Lambda that is linked to the API's resource method.

All looks fine, but I am still getting the 403 Forbidden error.

What's missing here?

atlascoder
  • 2,746
  • 3
  • 26
  • 34
  • 1
    Did you ever solve this? I am encountering the same issue. I am able to manually invoke API Gateway route using generated keys for my own user in IAM. But I want users that belong to Cognito User Pool/Identity Pool to be able to execute the API Gateway route. I am unable to get it to work with `Auth.currentCredentials()` and feeding into the raw `@aws-sdk/signature-v4` object. Nor am I able to get it to work using Amplify's own `Signer.sign()` object. However `.Signer.sign()` doesn't work with the known working access_key and secret_key. It is difficult to do things properly... – user1378730 Apr 27 '22 at 09:15
  • To those who find this comment: This doc saved me: https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html Several issues with work 1. Didn't have `Choose role from token` selected in the Federated Identity Pool for the linked Cognito Authorizer 2. `iam:PassRole` wasn't setup 3. Somehow forgot about `ExecuteApi` permissions In the end manually signing and also using `API.get()` both worked. – user1378730 Apr 28 '22 at 05:45

0 Answers0