Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Visit Stack Exchange

DevOps Stack Exchange is a question and answer site for software engineers working on automated testing, continuous delivery, service integration and monitoring, and building SDLC infrastructure. It only takes a minute to sign up.

Sign up to join this community

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

How can happen that with a Lambda/API Gateway combination, if no explicit Cloud Front configuration has been done, in an error response header they mention CloudFront?

header: x-amzn-ErrorType: ForbiddenException
header: x-amz-apigw-id: P3mmbT_DREF8bg=
header: X-Cache: Error from cloudfront
Actual problem: with a disabled API key, API keeps responding "forbidden".
UPDATE. As it seems the problem is not related to the Edge API/CloudFront, as the problem with disabled key persists also on changing API type to regional.
UPDATE. I can now disable API key checking as suggested by @Harish i.e. it's not about disabling the API key itself but telling the API whether it's required or not.
What is yet open though is why if created by Zappa, there is no option to change this setting in the UI, because there are not single methods.
                the client sends no key, the API has it disabled. So my expectation is that API accepts the call normally.
– Ta Mu
                Jul 18, 2020 at 16:25
                Use Zappa's api_key_required setting to enable/disable API key requirement for individual routes in your API.
– Harish KM
                Jul 19, 2020 at 14:51
When you deploy an edge-optimized API, API Gateway sets up an Amazon CloudFront distribution and a DNS record to map the API domain name to the CloudFront distribution domain name. Requests for the API are then routed to API Gateway through the mapped CloudFront distribution.
Source: API Gateway documentation — Edge-optimized custom domain names.
To allow calls to a method of a resource in your API without API key, set its API Key Required setting to false:
                thank you @Harish KM! I've changed the API type to regional, but still the API remains closed. At least half of my question is now answered. :-)
– Ta Mu
                Jul 18, 2020 at 14:32
                @PeterMuryshkin I've updated the answer to show how to make the API accept a call without an API key.
– Harish KM
                Jul 19, 2020 at 6:53
                thank you, Harish! Your hint has helped me in the right direction though I couldn't find the setting edit option in the UI, possibly with ANY selector it's different mode.
– Ta Mu
                Jul 19, 2020 at 9:36
Besides setting API Key Required = false, I was missing something in API Gateway > Custom domain names:
The API Mapping had no stage selected. When I selected dev, the endpoint worked.
        
Thanks for contributing an answer to DevOps Stack Exchange!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.