About Us
Project Cost Estimation
Blog
Token AiDOOS Wiki

Welcome to Knowledge Base!

KB at your finger tips

Book a Meeting to Avail the Services of AWS overtime

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All
CRM
Salesforce
ERP
SAP
Storage and Backups
Purestorage Netapp Nutanix
Cloud
AWS
Computing
IBM
Database
MongoDB MySQL PostgreSQL
DevOps
Docker Kubernetes Jenkins GitLab
Mobile
React Native Android
Web
React Angular PHP
Programming
Python
Products
CNC Software (Mastercam) 3D perception 7shifts ABB EV Charging Infrastructure Accelo Aconex (by Oracle) Act-On Actenum Scheduler Actico Compliance Suite ActiveCampaign Adapt Addepar Adobe Captivate Adyen AG Leader Agrivi AgriWebb Agworld Ahrefs Aidoc AIMS360 Akamai Kona Site Defender Algolia Alis by TalentGuard ALLDATA Repair Allscripts Alpaca Trading Altair HyperWorks Altium Designer AMOS Amplitude Anaplan Anessa Biofuel Optimization AppDynamics Applied Epic Applied Materials E3 Aptean ERP Aptean Food & Beverage ERP Aptima Aquatic Informatics’ WaterTrax Arable Arena Solutions PLM Articulate 360 Asana ASML Twinscan Aspen Plus Biochemical Process Modeling Aurora Solar AspenTech APC Athenahealth Atomwise Audiam Audiomovers AspenTech for Refining Autodesk AutoCAD Autosoft AspenTech Pharma Suite Asset Panda Aveva Marine AssetMark Aveva Pipeline Management AVEVA Process Engineering Suite AVEVA Refining Solutions AVEVA Unified Operations Center Avid Media Composer AVL eSuite AWS Ground Station AWS IoT Greengrass Azure IoT Central Azure Space Backbase BatchMaster ERP Benchling Bentley OpenFlows Bentley OpenRoads Bentley OpenUtilities Bentley Systems AssetWise Bentley Systems – OpenRail beonic BevSpot Bigbelly Smart Waste & Recycling System BigCommerce Automotive Bitly Bitmovin Blackbaud BlackBerry AtHoc Blackboard Learn BlackLynx Blend Blue Yonder WMS Bluebeam Revu Bohemia Interactive Simulations (BISim) Bosch Esitronic Diagnostic Bosch IoT Suite Braintree Bright Biomethane Brightpearl Bringg Browzwear Builder Prime Buildertrend BuildTools BWX Technologies' Nuclear Security Cabinet Vision Cadence OrCAD Cadence Virtuoso CAE Canvas LMS Cargowise One Carrier i-Vu CaterZen CattleMax CDK Global Celtx Cerner Pharmacy ChargePoint Cloud Services Charles River Development Check Point CloudGuard Checkout.com Cin7 Circularise Cisco Umbrella Classcraft ClearDATA ClearMetal ClickFunnels ClickUp Climate FieldView Clir Renewables Cloud Lending (Q2 Software) Cobb Accessport ComplianceQuest ComplyAdvantage Conducttr Conservis Continental Connected Vehicle Copper Coupa by LLamasoft CQG Integrated Client Creatio Creatio marketing CropNutrition CrowdStrike Falcon CyberSource Damarel Darktrace Dassault Systèmes CATIA Dassault Systèmes ENOVIA Dataminr DaVinci Resolve DealerSocket DealHub Decisive Farming Deliverect Deltek Costpoint Demandbase Denso EV Thermal Systems DeSL (Digital Enterprise Software) DigitalOcean DJI Ground Station Pro Docebo DrillPlan by Schlumberger DroneDeploy e-Builder Ecochain EcoVadis Edmentum Edsby EFI Live Tuning EFI Optitex EFI PrintSmith Vision Ellie Mae Encompass Ellucian Banner Elucidat Emerson Ovation Emerson Plantweb eMoney Advisor Enact Systems Enfusion Envestnet | Tamarac Epicor ERP Epicor Parts Network Esko ArtiosCAD Esko WebCenter ETQ Reliance QMS Everbridge eVinci™ Micro Reactor by Westinghouse Exostar SCM Fanuc Automation Fanuc Robotics FarmERP FarmLogs FieldAware Finacle Finastra Fusion FinQuery Flatiron Health FoodLogiQ Fortinet FortiGate FourKites Freshworks GDC Technology GE Digital APM GE Digital Plant Applications GE Digital Predix GE Healthcare FlexFactory GE Vernova Genscape Pipeline Solutions Geofeedia GeoSoftware Geotab GEP SMART Gerber Technology GetAccept Gorgias Greenbyte Energy Cloud Greenlight Guru GreenPrinter GreenSlate Guidewire Software Handshake HawkEye 360 Health Catalyst Herdwatch Hexagon Intergraph CAD Hexagon Manufacturing Intelligence Hexagon MSC Software Hexagon PPM Hexagon Safety & Infrastructure Hexcel HexPly Honeywell Enraf Tank Gauging Honeywell Forge Honeywell Forge for Chemicals Honeywell UOP Ecofining Houzz Pro HP Indigo Digital Press HP Tuners VCM Suite HubSpot CRM IBM i2 IBM Watson Health IFS Applications Illuminate Education Imprivata Indra Air Automation InEight Infor CloudSuite Food & Beverage Infor EAM Infor LN Infor WMS Inmarsat Fleet Data Instapage Insurity Intellect QMS Intergraph SmartMarine 3D Intex ERP Intuitive Surgical da Vinci IONOS Ironclad iSpring Suite John Deere Operations Center Johnson Controls Metasys Juro JustFood ERP Kahoot Kahua Kareo KBC Petro-SIM by Yokogawa Keap Kiinaxis RapidResponse Kinaxis RapidResponse Kisters WISKI KLA YieldStar Klaviyo Knewton Alta Kratos OpenSpace KUKA Robotics KUKA Smart Production Kustomer Landr LeadAngel LeanData Lectra Fashion PLM Leidos Integrated ISR Solutions Linode Lithium Balance BMS Lockheed Martin DiamondShield LogicGate Logility LogiNext Mile LuciadLightspeed (Hexagon) Luma Health Mahle Thermal Management Majesco Mallcomm MAM Software Autopart Manhattan TMS Manhattan WMS Mark43 MASS (Cohort plc) MasterControl Manufacturing Excellence MasterControl Quality Excellence Material Exchange McKesson Pharmacy Management MedeAnalytics Medidata Solutions Medtronic CareLink Medtronic Hugo RAS Mentor Graphics (Siemens) MetricStream Microsoft D365 SCM Microsoft Project MilliporeSigma BioContinuum MindTickle Mirakl Mitchell1 ProDemand MODS (Military Operational Decision Support) Moodle Moody’s Analytics Morningstar Direct MRI Facilities Management MuleSoft MyPath Nautilus Labs Navitaire nCino Nearpod Netafim NetApp Netwrix Auditor NextGen Healthcare NICE Actimize NICE Public Safety Nimble Nutshell Nuvation Energy BMS Nuvolo Office Furniture by Haworth Omnisend OneTrust OneWeb Satellite Services Onfleet Optibus Optimizely ONYX InSight Oracle E-Business Suite Oracle FLEXCUBE Oracle TMS Orion Advisor Tech OSISoft PI System Outgrow OVHcloud PagerDuty Palo Alto Networks Cortex XSOAR Palo Alto Networks Prisma Cloud PandaDoc Panorama Education Parrot Analytics Petrel by Schlumberger Philips HealthSuite PipelineManager by Atmos International Pipeliner CRM PitchBook Pix4Dfields Planet Labs Plex Systems PowerSchool PredictHQ Printavo Procore Project44 Proposify Prospera PTC Windchill Quantifi QuarkXPress Quipli Quorum Distribution Software R1 RCM Rackspace Rapyd ReCharge Reynolds and Reynolds Rightsline Riskalyze Roostify Runway ML S&P Capital IQ Sabre AirCentre Safefood 360 Saipher ATC SAP Defense & Security Sapiens CoreSuite Oracle Cloud SCM Oracle NetSuite Plex Manufacturing Cloud QbDVision Ramco Aviation MRO Suite RedTeam SAP EWM SAP Supply Chain Management SAS Analytics Schoology ScreenCloud Sensia Oilfield Monitoring and Control SentinelOne Serpstat Shift Technology Shift72 ShipBob ShipServ Shopify Plus Shopify Plus for Automotive Shotgun (by Autodesk) Siemens Simcenter Signal Sciences SimCentric Technologies SimCorp Dimension SimScale Simutech Multimedia Skedulo SkillMill by Interplay Learning Skyfii SkyWatch EarthCache Slingshot Orbital Smartsheet for Compliance Snapsheet Solutionreach Soyang Europe Green Materials Sparta Systems TrackWise Sphera Sustainability Management Spire Space Services Splunk Enterprise Security Splunk Industrial IoT Square for Retail StormGeo Stratasys 3D Printers Stripe STRIVR StudioBinder SUSE Swissport Symantec Endpoint Security (Broadcom) Synopsys TCAD Syntasa TalentLMS TankVision by Endress+Hauser Teladoc Health Tenable.io Terminus TexGen Thales CipherTrust Thales Manpack EW Suite Thales TopSky-ATC Thinkorswim Thryv Toast POS TotalEnergies Bio Lubricants TraceGains TraceLink Trimble Construction Trove TurnKey Lender Udemy for Business Unbounce Updox Validic Valmet DNA Automation System Varsity Tutors Veeva CRM Veeva MedTech Veeva Quality Veeva Vault Vendasta Veson Nautical IMOS Platform Viewpoint (by Trimble) Vimeo OTT Virbela Vizient VTS VWO Waste Management Open API by AMCS Waystar Wealthfront Wherefour WindRiver Helix Virtualization Platform WoodCAD|CAM Workday Student Worldpay Wrike Xactly Xerox Paper Recycling XOLV Xtime YCharts Yopto Zendesk Marketplace Zoho Zoho Inventory Zonos Zscaler Web-to-Print by Printful Zuppler ABB Robotics Solutions Alibaba Cloud ANSYS Composite PrepPost Apollo Autodesk BIM 360 Aventri BigCommerce Bizzabo Bloomberg Terminal BookBrush Brella Canva Pro Chartmetric Contentful edX EnergyHub EventPro Granular Helix Core iVvy Venue Management Joomag ManageArtworks MathWorks MATLAB Mobalytics Moocall On24 Pluralsight PressPad Prismm (All Seated) Reedsy RegFox SAP S/4HANA Amwell ANSYS Engineering Simulation Software Autodesk CFD AutoGrid Flex BetterUp Dassault Systèmes SIMULIA Evisort FlippingBook LabWare LIMS SAP TMS Amazon Augmented AI Aquarium V7 Dataloop Encord Encord Galileo Labelbox Voxel51 iMerit Ango Hub Multimodal AI Platform Canva Scalenut Hypotenuse AI Writer Copy.ai RELAYTO Amplience M1-project Imagine.io Aida Social Craftly.AI Typetone Describely Adobe GenStudio for Performance Marketing Astral Contents DashoContent Eden AI hair-style.ai PlanPost AI ZiNK AI Kore.AI Microsoft Copilot Genesys Cloud CX Synthflow Botpress Twixor Guru Qualified LivePerson Leena AI Autonomous Agent Voiceflow Replicant Conversica Rezolve.ai Dixa Assembled Zowie Level AI Moveworks Espressive, Inc. Haptik Rulai Cognigy.AI MeBeBot Intelligent Assistant Supervity Vozy HCL BigFix AEX ViaSay Kenyt Puzzel yellow.ai EVA.ai Verint Messaging Cresta Netomi Omind AiSDR Engagely.ai Floatbot Tiledesk FPT.AI Relevance AI Kindly Yuma AI CoSupport AI Joule AtomChat.io Enjo IntelePeer PolyAI Salesforge Vodex.ai Born Digital Hoory AI Nurix Overchat AI Spotlight.ai UneeQ Accenture Conversational AI Benedic chatbot IA Comm100 Chatbot eGain Virtual Assistant for Agents Fulkrum GPTBots.ai KNO Plus Moveo.AI Neople Qlary AI TailorTask Verint Intelligent Virtual Assistant Agent4 AIgent Atomicwork Clay Research Copilot.Live Cust Debales AI Conversion Agent FlashAI Remplo SeamlessGPT SearchUnify Virtual Assistant (SUVA) SideKick AI Taalk AI Talkdesk Turbo AI Agent Village AI Vinsi AI Wethos AI Wizr AI Studio You.com Deepgram Whisper Hour One Gladia Google Cloud Speech-to-Text Google Cloud Speech-to-Text Microsoft Custom Recognition Intelligent Service (CRIS) Mihup.ai BigHand Speech Recognition Amazon Transcribe Microsoft Speaker Recognition API Krisp ai voice detector Microsoft Bing Speech API Kaldi Resemble AI ArtPro Rev Sayint Speech Recognition API Synth Threads Voicify Azure Custom Speech Service Museum Space ResourceMate Speech to text Symbl.ai The Digital Ark Voicein Yugo (Speech-to-Text) Acapela VaaS GlobalLink Neon AI OneVoiceData Snips Spantel Hospital Direct Speechmorphing Telisma Voxpow Winscribe Speech Recognition ZipScribe AI Squared eMuseum Online Collections Software HeardThat Listener – Reliable Automatic Speech Recognition (ASR) MediaServicesIQ Neuro.net HeardThat

AWS

Troubleshoot API Gateway"429 Too Many Requests" or "Limit Exceeded" errors

How can I troubleshoot "429 Too Many Requests" or "Limit Exceeded" errors for my API Gateway API?

Last updated: 2022-09-26

I received "429 Too Many Requests" or "Limit Exceeded" errors when sending requests to my Amazon API Gateway API. How do I troubleshoot these errors?

Short description

API Gateway has account-level quotas, per Region. The throttle quota is 10,000 requests per second (RPS) with an additional burst capacity provided by the token bucket algorithm. The maximum bucket capacity is 5,000 requests per account and Region. API Gateway throttling-related settings are applied in the following order:

  • Per-client or per-method throttling limits that you set for an API stage in a usage plan.
  • Per-method throttling limits that you set for an API stage.
  • Account-level throttling per Region.
  • AWS Regional throttling.

Exceeding the throttling limit or quota returns a "429 Too Many Requests" or "Limit Exceeded" error response.

For more information, see How throttling limit settings are applied in API Gateway.

Resolution

Before you begin, make sure that you have followed the instructions to turn on Amazon CloudWatch Logs for troubleshooting API Gateway. Make sure that you choose ERROR to generate execution logs only for requests to your API that result in an error. Then, view logged API requests and responses using the CloudWatch console.

"429 Too Many Requests" error

Check the rate or burst limit for per-client or per-method throttling limits that you set for the API stage for your usage plan. When the rate or burst limits are exceeded, CloudWatch execution logs an exceeded throttle limit error similar to the following: 

(f277a0b4-2bcd-41b3-8e43-4de770663ffb) API Key 
**********************************
F0yrv6 exceeded throttle limit for API
 Stage rohkz08x02/dev: Key throttle limit exceeded for Usage Plan ID 
nnpegc, RestApi rohkz08x02, Stage dev, Resource f646q2, HttpMethod GET. 
Limit: 5.00 Burst: 10

To resolve this error, use retries and an exponential backoff algorithm with jitter, and then resubmit your API request.

For more information, see exponential backoff and jitter.

"Limit Exceeded" error

This error might indicate that the quota limit is exceeded for your API Gateway usage plan. When the quota limit is exceeded, then CloudWatch execution logs an exceeded quota limit error similar to the following: 

(7b819c41-e0a0-433a-883e-bc461fd70fd6) API Key 
**********************************
F0yrv6 exceeded quota limit for API 
Stage rohkz08x02/dev: Key quota exhausted for Usage Plan ID nnpegc. Q
Limit: 500 Period: DAY

To resolve this error, follow the instructions to extend the remaining quota.

How do I troubleshoot Lambda function throttling with "Rate exceeded" and 429 "TooManyRequestsException" errors?

How do I find API Gateway REST API errors in my CloudWatch logs?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support

Stay Ahead in Today’s Competitive Market!
Unlock your company’s full potential with a Virtual Delivery Center (VDC). Gain specialized expertise, drive seamless operations, and scale effortlessly for long-term success.

Book a Meeting to Avail the Services of AWSovertime

Set up API Gateway access logging

How can I set up access logging for API Gateway?

Last updated: 2022-08-15

I'm trying to set up access logging for Amazon API Gateway. How can I do this?

Short description

To debug issues related to request execution or client access to your API, you can activate Amazon CloudWatch Logs to log API calls.

Resolution

Before you begin, make sure that you have:

  • Deployed your API to a stage.
  • Granted API Gateway permission to read and write logs to CloudWatch for your account.

Next, to activate access logging follow steps 1-5 and 7-8 (skip step 6) in the instructions for setting up CloudWatch API logging using the API Gateway console.

Note: It's a best practice not to log the full API requests and responses for production APIs. Full API requests and responses can result in logging sensitive data.

You now have CloudWatch logs activated for debugging. To find errors, see How do I find API Gateway REST API errors in my CloudWatch logs?

For more information, see Monitoring REST API execution with Amazon CloudWatch metrics.

How do I troubleshoot "Invalid permissions on Lambda function" errors from API Gateway REST APIs?

How do I find 5xx errors from API Gateway in my CloudWatch logs?

How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve certificate expired or "invalid certificate" errors for API Gateway API custom domains

How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

Last updated: 2022-09-23

I set up a custom domain name for my API Gateway API. I received an error that the AWS Certificate Manager (ACM) certificate is expired or "invalid certificate". How can I resolve this error?

Short description

The certificate has expired error occurs when the certificate used for creating the custom domain name is expired.

The "invalid certificate error" occurs because of a mismatched common name (CN) or subject name in the certificate.

Resolution

Expired ACM certificates

If your certificate is expired, you might receive an error similar to the following:

"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]"
To check the certificate expiry, run the OpenSSL command s_client similar to the following: 

openssl s_client -servername <custom domain name> -connect <custom domain name>:443 2>/dev/null | openssl x509 -noout -dates

To renew the certificate, see Managed renewal for ACM certificates.

To avoid expired certificates, see How to monitor expirations of imported certificates in ACM.

Mismatched ACM certificates

If your certificate has a mismached CN or subject name, you might receive an error similar to the following:

"ERR_CERT_COMMON_NAME_INVALID"

Confirm the following settings:

  • The certificate used to create the custom domain name exists in ACM.
  • The certificate subject name or CN includes the custom domain name. For example, if the custom domain name is custom.example.com, then the subject name or CN must include custom.example.com or *example.com.
  • Make sure that there is a DNS record pointing to the API Gateway custom domain name. The DNS record can be either a CNAME or A type.

Note: Custom domain names can't point directly to the execute-api endpoint because the certificate doesn't have the custom domain listed as the Subject Alternative Name (SAN).

Example configuration:

custom.example.com -> CNAME record -> d-yg54udirl4.execute-api.us-east-1.amazonaws.com

You can check your configuration by running the dig command on your custom domain similar to the following: 

$ dig custom.example.com

How can I resolve DNS resolution or certificate mismatch errors for my API Gateway custom domain name?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Troubleshoot SigV4 signature mismatch errors with IAM authentication for API Gateway

How can I troubleshoot signature mismatch errors when making SigV4 signed requests with IAM authentication to API Gateway?

Last updated: 2022-09-22

The Signature Version 4 (SigV4) signed request to Amazon API Gateway failed with a 403 response and an error similar to the following:

"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method."

How can I troubleshoot this?

Short description

API Gateway API endpoints using AWS Identity and Access Management (IAM) authentication might return 403 errors if:

  • The API request isn't signed and the API request uses IAM authentication.
  • The IAM credentials used to sign the request are incorrect or don't have permissions to invoke the API.
  • The signature of the signed API request doesn't match the signature for the API Gateway API endpoint.
  • The API request header is incorrect.

Resolution

IAM authentication

Make sure that the API request using IAM authentication is signed with SigV4. If the API request isn't signed, then you might receive the following error: “Missing Authentication Token”

IAM credentials

Verify that the authentication credentials for the access key and secret key are correct. If the access key is incorrect, then you might receive the following error: "The security token included in the request is invalid."

Make sure that the IAM entity used to sign the request has execute-api:Invoke permissions. If the IAM entity doesn't have execute-api:Invoke permissions, then you might receive the following error: "User: arn:aws:iam::xxxxxxxxxxxx:user/username is not authorized to perform: execute-api:Invoke on resource"

Signature mismatch

If the secret access key is incorrect, then you might receive the following error: "The request signature we calculated does not match the signature you provided."

The secret access key must match the access key ID in the Credential parameter. For instructions, follow the Send a request to test the authentication settings section in How do I activate IAM authentication for API Gateway REST APIs?

Make sure that you followed the instructions for the SigV4 signing process. If any values in the signature calculation are incorrect, then you might receive the following error: "The request signature we calculated does not match the signature you provided."

When API Gateway receives a signed request, it recalculates the signature. If there are differences in the values, then API Gateway gets a different signature. Compare the canonical request and string to your signed request with the value in the error message. Modify the signing process if there are any differences.

Example canonical request: 

GET                                                      -------- HTTP method
/                                                        -------- Path. For API stage endpoint, it should be /{stage-name}/{resource-path}
                                                         -------- Query string key-value pair. Leave it blank if the request doesn't have any query string
content-type:application/json                            -------- header key-value pair. One header per line
host:0123456789.execute-api.us-east-1.amazonaws.com      -------- host and x-amz-data are required headers for all signed request                       
x-amz-date:20220806T024003Z                              

content-type;host;x-amz-date                             -------- A list of signed headers
d167e99c53f15b0c105101d468ae35a3dc9187839ca081095e340f3649a04501        -------- hash of the payload

Example canonical error response: 

<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The canonical string for this request should have been 'GET / Action=ListGroupsForUser&MaxItems=100&UserName=Test&Version=2010-05-08&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential
=AKIAIOSFODNN7EXAMPLE%2F20120223%2Fus-east-1%2Fiam%2Faws4_request&X-Amz-Date=20120223T063000Z&X-Amz-SignedHeaders=host
host:iam.amazonaws.com

host
<hashed-value>'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20120223T063000Z
20120223/us-east-1/iam/aws4_request
<hashed-value>'
</Message>
  </Error>
  <RequestId>4ced6e96-5de8-11e1-aa78-a56908bdf8eb</RequestId>
</ErrorResponse>

Note: For API gateway headers, only the host and x-amz-date headers are required.

API request header

Make sure that the SigV4 authorization header includes the correct credential key similar to the following: 

Authorization: AWS4-HMAC-SHA256 
Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, 
SignedHeaders=host;range;x-amz-date,
Signature=example-generated-signature

If the credential key is missing or incorrect, you might receive the following error: “Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter."

Make sure that the SigV4 authorization request also includes the request date using either HTTP Date or the x-amz-date header.

For more information, see Troubleshooting key signing errors and Troubleshooting AWS Signature Version 4 errors.

Examples of the complete Signature Version 4 signing process (Python)

How do I troubleshoot HTTP 403 errors from API Gateway?

Signing AWS requests with Signature Version 4

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve "HTTP 403 Forbidden" errors when invoking API Gateway with an IAM cross-account

How can I resolve "HTTP 403 Forbidden" errors when invoking my API with cross-account IAM authentication for API Gateway?

Last updated: 2022-09-16

I called my Amazon API Gateway API with a cross-account AWS Identity and Access Management (IAM) entity (user or role). I get an "HTTP 403 Forbidden" error. How do I troubleshoot this?

Resolution

REST APIs

For accessing API Gateway REST APIs, turn on IAM authentication for an API method in the API Gateway console. Then, use IAM policies and resource policies to designate permissions for your API's users.

Make sure that the cross-account IAM entity has permissions to invoke the API and is allowed access in the resource policy.

In this example, the REST API for account A 111111111 has IAM authentication enabled. User1 tries to invoke from account B 999999999. User1 in account B has the following IAM policy attached: 

}
  ]
    }
      "Resource": "arn:aws:execute-api:us-east-1:111111111:AB12CDEF34/*/*/*"
      ],
        "execute-api:ManageConnections"
        "execute-api:Invoke",
      "Action": [
      "Effect": "Allow",
    {
  "Statement": [
  "Version": "2012-10-17",
{

To allow the IAM user for account B in account A to invoke cross-account access, use a resource policy similar to the following: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::999999999:user/User1"
      },
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:111111111:AB12CDEF34/stage/*/*"
    }
  ]
}

For more information, see How do I activate IAM authentication for API Gateway REST APIs?

HTTP APIs

For accessing API Gateway HTTP APIs, you can use the sts:AssumeRole API action to assume a role for the HTTP API account. The assumed role provides temporary security credentials that can be used to invoke the HTTP API in another account.

Make sure that the temporary security credentials used to invoke the HTTP API are correct and not expired.

For more information, see How can I provide cross-account IAM authorization for API Gateway HTTP APIs?

API Gateway resource policy examples

Activate IAM authentication for API Gateway Rest APIs

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article

Resolve DNS or certificate mismatch errors for API Gateway custom domains

How can I resolve DNS resolution or SSL certificate mismatch errors for my API Gateway custom domain name?

Last updated: 2022-10-21

I configured a custom domain name for my Amazon API Gateway API. I am unable to connect to the domain name and receive DNS resolution or SSL certificate mismatch errors. How can I resolve this?

Short description

There are two types of custom domain names that you can create for API Gateway APIs: Regional or (for REST APIs only) edge-optimized.

Resolution

Before creating a custom domain name for your API, you must do one of the following:

Request an SSL/TLS certificate from AWS Certificate Manager (ACM).
-or-
Import an SSL/TLS certificate into ACM.

For more information, see Getting certificates ready in AWS Certificate Manager.

After you have your SSL/TLS certificate, you can follow the instructions to set up a custom domain name for my API Gateway API.

To connect to a custom domain name for API Gateway APIs, you must configure Amazon Route 53 to route traffic to an API Gateway endpoint.

If the DNS records for the custom domain name aren't mapped to the correct API Gateway domain name, then the SSL connection fails. This is because the default *.execute-api.<region>.amazonaws.com certificate is returned instead of the SSL/TLS certificate.

To confirm that the DNS mapping is correct, run the following command from the client: 

$ nslookup <customdomainname>

The output should be the API Gateway domain name. Make sure that the domain name matches the API Gateway domain name. If a Route 53 alias record is used for DNS mapping, then the output is the IP address. Make sure that the IP address matches the API Gateway domain name IP address.

Note:

  • When configuring Route 53, you must create either a public hosted zone or a private hosted zone. For internet-facing applications with resources that you want to make available to users, choose a public hosted zone. For more information, see Working with hosted zones.
  • Route 53 uses records to determine where traffic is routed for your domain. Alias records provide easier DNS queries to AWS resources, while CNAME (non-alias) records can redirect DNS queries outside of AWS resources. For more information, see Choosing between alias and non-alias records.

Migrating a custom domain name to a different API endpoint

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support
Read article