Logged In & Receive 403 For Get Notes Call

I’ve created the client app and the API. The client app is deployed to:


However, after I log in using:


I get a 403 response:

message: “User: arn:aws:sts::154716048766:assumed-role/cakebook-api-dev-CognitoAuthRole-1DTRT5XGEGRXW/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-2:********8766:sss6l7svxc/dev/GET/orders”

For the API call:


Perhaps my Cognito user does not have permission to call the Lambda (or API gateway)?

I can’t see what step I’ve missed in the tutorials for this to happen. Can someone please help?

Have you tested the API through the CLI?

Yeah I’ve tested it through CLI and it works fine.

➜  cakebook-api git:(master) ✗ npx aws-api-gateway-cli-test \
--username='admin@example.com' \
--password='Passw0rd!' \
--user-pool-id='us-east-2_gyMzxqXfM' \
--app-client-id='2qsrr2frnp2p60u7me94o5tas' \
--cognito-region='us-east-2' \
--identity-pool-id='us-east-2:d9e4e505-c64a-4836-8e56-3af843dbe453' \
--invoke-url='https://w5o4vxx4f0.execute-api.us-east-2.amazonaws.com/dev' \
--api-gateway-region='us-east-2' \
--path-template='/orders' \
npx: installed 106 in 3.005s
Authenticating with User Pool
Getting temporary credentials
Making API request
{ status: 200,
  statusText: 'OK',
   [ { attachment: 'hello.jpg',
       content: 'hello world',
       createdAt: 1554649942422,
       noteId: '8b2fb360-5947-11e9-9178-8f9047228302',
       userId: 'us-east-2:f59661aa-0d6e-4d60-9d1a-70a0d3e3dde4' } ] }

There’s some more information over on the Stack Overflow question:

If you have any other ideas, I’d really appreciate it thanks.

When I replace the API Gateway URL in the above command with https://api.cakebook.co/dev, I get the 403. So it looks like the problem is in the setup of that URL.

Did you resolve this?

No, but it’s no longer blocking me as I can use the generated API Gateway URL instead. The 403 happens when I try to set the custom domain (api.cakebook.co) up for the API. There’s something wrong with the configuration of this, perhaps something to do with the SSL certificate. When configuring the ACM cert for the custom domain, I have several certs to choose from. One of them is on “.cakebook.co” which produces an error when I try to do the GET. That error states that the cert does not have the right domain. I have two other certs, both on api.cakebook.co. Both of these produce the 403 result.

I also had the same problem. The app threw me Error code 403 when logged in, but I figured it out. My mistake was to write “us-east-1” as API region and DynamoDB region in serverless.yml file while my API region and database were in “us-east-2”. I think you also have the similar problem and hope it sloves your problem too.
Remeber to deploy your serverless app and check if it creates a new API Gateway. If it does, then you have to create a new Identity Pool, or add a new authentication role in your old Identity Pool.

1 Like

That makes sense. Thanks for sharing!