AWS API Gateway CORS ok for OPTIONS, fail for POST

+1 vote

I've looked at the other related questions on SO but this seems different. In fact, my question is very similar to this one, except I don't have the 400 status issue.

The set up:

  • lambda function through API Gateway
  • Authorization: None, API KEY Required: false
  • deploying to stage: test

  • 1 resource, 1 POST method integrating the lambda.

  • Calling the POST endpoint directly e.g. with curl always returns 200 (with/without payload, bad payload, etc.) - so that's different from the referenced question.

I've used the "Enable CORS" option - I've tried applying this option on both the resource, and the POST request (and deploying the API afterwards).

In API GW, I can see Access-Control-Allow-Origin listed in 200 Response Headers under POST method - Method Response area.

Result: Calling the endpoint from client code in Chrome, OPTIONS passes but POST fails due to missing Access-Control-Allow-Origin header.

In curl: OPTIONS call

curl -X OPTIONS -H "Access-Control-Request-Method: POST" \
     -H "Access-Control-Request-Headers: Content-Type" \
     -H "Origin: http://example.com" --verbose <endpoint>

the response is:

< HTTP/1.1 200 OK
< Content-Type: application/json
...
< Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< Access-Control-Allow-Methods: POST,OPTIONS
< Access-Control-Allow-Origin: *
...

but with POST:

curl -X POST -d '{}' -H "Content-Type: application/json" \
     -H "Origin: http://example.com" --verbose <endpoint>

it returns:

< HTTP/1.1 200 OK
< Content-Type: application/json
...

and the response json body - but no Access-anything header.

What else can I check?

Oct 9, 2018 in AWS by eatcodesleeprepeat
• 4,670 points
739 views

1 answer to this question.

0 votes

The problem has been that the API gateway has called my lambda function using the "Lambda Proxy Integration" option checked.

I believe this is activated by default when adding a API gateway trigger to a newly created lambda function.

When inside the API Gateway - Resource - Method view, the "Integration Response" box is greyed out and it seems there's no way (even for the Enable CORS function) to add a Access-Control-Allow-Origin header there, which according to @Abhigna_Nagaraja is required.

Solution: If using "Lambda Proxy Integration", add the 'Access-Control-Allow-Origin': '*' header to your lambda function.

Even better: in the same view - Integration Request, turn off "Lambda Proxy Integration" and Enable CORS again (deploy afterwards).

(Then, in the callback, you'll have to return just the payload json instead of the { statusCode, headers, body } object.)

Update:

Some useful reads if you're unsure whether to return request response status information in http status codes or in the json payload:

http status vs json status

json status standards

answered Oct 9, 2018 by Priyaj
• 56,160 points

Related Questions In AWS

0 votes
1 answer

How to Enable CORS for an AWS API Gateway Resource

Since you're using Lambda Proxy integration for ...READ MORE

answered Jul 10, 2018 in AWS by Hammer
• 360 points
443 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

how to access AWS S3 from Lambda in VPC

With boto3, the S3 urls are virtual by default, ...READ MORE

answered Sep 28, 2018 in AWS by Priyaj
• 56,160 points
1,225 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

Fail to enable CORS for API Gateway functions

Firstly please select your root resource and ...READ MORE

answered Oct 9, 2018 in AWS by Priyaj
• 56,160 points
802 views
+1 vote
3 answers

Not able to pass params POST to AWS Lambda from Amazon API Gateway

For this template : application/x-www-form-urlencoded  This line below will ...READ MORE

answered Jun 13, 2018 in AWS by Cloud gunner
• 4,260 points
1,667 views