message: “User: arn:aws:sts::154716048766:assumed-role/cakebook-api-dev-CognitoAuthRole-1DTRT5XGEGRXW/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-2:********8766:sss6l7svxc/dev/GET/orders”
When I replace the API Gateway URL in the above command with https://api.cakebook.co/dev, I get the 403. So it looks like the problem is in the setup of that URL.
No, but it’s no longer blocking me as I can use the generated API Gateway URL instead. The 403 happens when I try to set the custom domain (api.cakebook.co) up for the API. There’s something wrong with the configuration of this, perhaps something to do with the SSL certificate. When configuring the ACM cert for the custom domain, I have several certs to choose from. One of them is on “.cakebook.co” which produces an error when I try to do the GET. That error states that the cert does not have the right domain. I have two other certs, both on api.cakebook.co. Both of these produce the 403 result.
I also had the same problem. The app threw me Error code 403 when logged in, but I figured it out. My mistake was to write “us-east-1” as API region and DynamoDB region in serverless.yml file while my API region and database were in “us-east-2”. I think you also have the similar problem and hope it sloves your problem too.
Remeber to deploy your serverless app and check if it creates a new API Gateway. If it does, then you have to create a new Identity Pool, or add a new authentication role in your old Identity Pool.