Published on

AWS Lambda function not found "Authorization" key in request headers from CloudFront + AWS APIGateway(without Authorizer)

Authors
  • avatar
    Name
    PatharaNor
    Twitter

thumbnail

Background

Normally, we should see all incoming request header/body/parameter in AWS Lambda when client sent request to your Lambda function directly, except you wrapping your Lambda function with CloudFront + AWS APIGateway (without Authorizer).

For the architecture, you still saw Authorization key name in Method Request block but it doesn’t passthrough to Integration Request block when calling the function via your CloudFront's domain name.

aws-apigw-with-lambda

Although we already set User Lambda Proxy Integration in Integration Request block :

use-lambda-proxy-integration

and deploy it :

do-not-forget-deploy

Solution

Root cause is CloudFront, the service removes some viewer headers by default :

Configuring CloudFront to forward the Authorization header

When CloudFront forwards a viewer request to your origin, CloudFront removes some viewer headers by default, including the Authorization header. To make sure that your origin always receives the Authorization header in origin requests, you have the following options:

  • Add the Authorization header to the cache key using a cache policy. All headers in the cache key are automatically included in origin requests. For more information, see Controlling the cache key.
  • Use an origin request policy that forwards all viewer headers to the origin. You cannot forward the Authorization header individually in an origin request policy, but when you forward all viewer headers CloudFront includes the Authorization header in viewer requests. CloudFront provides a managed origin request policy for this use case, called Managed-AllViewer. For more information, see Using the managed origin request policies.

Ref. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html

avatar
PatharaNor
Tech Writer

Easy way, you just adding Authorization key name into cache key in Headers scope by setting behavior of your AWS Lambda's bucket in CloudFront :

edit-behaviors-s3-lambda-via-cloudfront

adding the key :

add-authorization-to-cache-key-in-header

Now your AWS Lambda should see Authorization key name in request header :)

Discuss on TwitterView on GitHub