堆栈内存溢出
  繁体   English   中英

CloudFront 403 禁止异常(AWS SAM 模板)

[英]CloudFront 403 Forbidden Exception (AWS SAM Template)

 原文  2020-04-26 19:32:33       amazon-web-services/ aws-lambda/ aws-api-gateway/ aws-serverless/ serverless-application-model

问题描述

我正在使用 AWS SAM Cli 和模板部署无服务器应用程序,但是 API 网关资源在尝试 curl / Z03D476861AFD3841110F2CB80CCFA8 时返回 403 ForbiddenException 错误。 尝试在网上查找,但无法找到任何解决我问题的答案,并且想知道这里是否有人以前经历过这种情况。

模板.yaml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31


Globals:
  Function:
    Runtime: nodejs10.x
    MemorySize: 256

  Api:
    Cors:
      AllowMethods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
      AllowHeaders: "'Content-Type,X-Amz-Date,X-Amz-Security-Token,Authorization,X-Api-Key,X-Requested-With,Accept,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Allow-Headers'"
      AllowOrigin: "'*'"

Parameters:
  ApiKey:
    Type: String
    Default: none

Conditions:
  CreateApiKey: !Not [!Equals [!Ref ApiKey, 'none']]

Resources:
  # DynamoDB table setup
  DyanmoDBStoryTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: Stories
      AttributeDefinitions:
        - AttributeName: short_id
          AttributeType: S
      KeySchema:
        - AttributeName: short_id
          KeyType: HASH
      ProvisionedThroughput:
        ReadCapacityUnits: 0
        WriteCapacityUnits: 0
      BillingMode: PAY_PER_REQUEST

  # Log group
  DynamoSaveStoryLogGroup:
    Type: AWS::Logs::LogGroup
    DependsOn: [DynamoSaveStoryLambda]
    Properties:
      RetentionInDays: 30
      LogGroupName: !Sub '/aws/lambda/${DynamoSaveStoryLambda}'
  DynamoGetStoryLogGroup:
    Type: AWS::Logs::LogGroup
    DependsOn: [DynamoGetStoryLambda]
    Properties:
      RetentionInDays: 30
      LogGroupName: !Sub '/aws/lambda/${DynamoGetStoryLambda}'
  DynamoUpdateStoryLogGroup:
    Type: AWS::Logs::LogGroup
    DependsOn: [DynamoUpdateStoryLambda]
    Properties:
      RetentionInDays: 30
      LogGroupName: !Sub '/aws/lambda/${DynamoUpdateStoryLambda}'

  # Lambda Fn
  DynamoSaveStoryLambda:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
        - AmazonDynamoDBFullAccess
      Handler: src/lambdas/save-story.handler
      Timeout: 10
      Events:
        SaveStory:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /story
            Method: post

  DynamoGetStoryLambda:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
        - AmazonDynamoDBFullAccess
      Handler: src/lambdas/get-story.handler
      Timeout: 10
      Events:
        SaveStory:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /story/{shortId}
            Method: get

  DynamoUpdateStoryLambda:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
        - AmazonDynamoDBFullAccess
      Handler: src/lambdas/update-story.handler
      Timeout: 10
      Events:
        SaveStory:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /story/{shortId}
            Method: post

  # Custom API gateway setup API Keys & usage plans
  ApiGateway:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        ApiKeyRequired: true

  UsagePlan:
    Type: AWS::ApiGateway::UsagePlan
    DependsOn: [ApiGatewayProdStage]
    Condition: CreateApiKey
    Properties:
      ApiStages:
        - ApiId: !Ref ApiGateway
          Stage: Prod

  DynamoLambdasApiKey:
    Type: AWS::ApiGateway::ApiKey
    DependsOn: [UsagePlan]
    Condition: CreateApiKey
    Properties:
      Value: !Ref ApiKey
      Enabled: true
      StageKeys:
        - RestApiId: !Ref ApiGateway
          StageName: Prod

  UsagePlanKey:
    Type: AWS::ApiGateway::UsagePlanKey
    Condition: CreateApiKey
    Properties:
      KeyId: !Ref DynamoLambdasApiKey
      KeyType: API_KEY
      UsagePlanId: !Ref UsagePlan

Outputs:
  StoryApi:
    Description: Serverless api url generated by AWS Cloudformation upon stack deployment
    Value: !Sub 'https://${ApiGateway}.execute-api.${AWS::Region}.amazonaws.com/prod'
  ApiKey:
    Description: Api key to authorize access in API Gateway
    Value: !Ref ApiKey

SAM CLI Version: 0.47.0

错误:

Date →Sun, 26 Apr 2020 19:22:02 GMT
Content-Type →application/json
Content-Length →23
Connection →keep-alive
x-amzn-RequestId →01d6b9ec-dcf0-484c-be07-6b629437b305
x-amzn-ErrorType →ForbiddenException
x-amz-apigw-id →Lm_WOF9ZvHcF7nQ=

直接从 AWS Lambda 控制台对其进行测试可以正常工作并生成 cloudwatch 日志,但是当我使用部署期间生成的 API url 卷曲/邮递请求时,无法正常工作。 我尝试了以下方法:

  • 确保正确设置x-api-key header 并验证 AWS 控制台中的 API 网关是否设置了正确的 API 密钥
  • 在模板的全局变量中配置 API 中的 CORS。 确认它在 API 网关控制台中创建options端点
  • 仔细检查端点是否正确

该错误表明这是一个云端问题,因此我已确认 S3 存储桶具有公共访问权限。 AWS 控制台中没有其他云端资源。 我不知道是什么阻止了请求。

1 个解决方案

解决方案1
 1  2020-04-26 22:54:41

答案比我想象的要简单,但对于遇到此问题的其他人来说,查询参数区分大小写。 The output url from the serverless application model deployment returns https://${serverlessAppId}.execute-api.${region}.amazonaws.com/${StageName} .

在我的情况下, StageNameProd ,我以prod的身份提出请求

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Cloudfront 备用域名 403 被禁止 aws cloudfront api 端点响应 Forbidden(403) Cloudfront Worker Fetch 禁止 AWS 403 PUT / POST / DELETE:禁止403错误+ AWS SAM的CORS错误 加载 AWS CloudFront 文件时出现 403(禁止) 禁止AWS Deployment 403 403 禁止从 AWS 刷新页面时Cloudfront返回403禁止 CloudFront以403 Forbidden响应,而不是触发Lambda 使用 Cloudfront 签名 cookie 时出现 403 禁止错误?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM