DVA-C02 · Question #445
A developer is troubleshooting an application. The application includes several AWS Lambda functions that invoke an Amazon API Gateway API. The API Gateway's method request is set up to use an Amazon
The correct answer is B. Modify the client GET request to include a valid token in the Authorization header.. When API Gateway uses a Cognito authorizer, it expects a valid JWT token (issued by Cognito) in the Authorization header - not a raw user ID. Passing just the user ID fails Cognito's token validation, causing the 403, so the fix is to pass the actual Cognito-issued token (B). Why
Question
A developer is troubleshooting an application. The application includes several AWS Lambda functions that invoke an Amazon API Gateway API. The API Gateway's method request is set up to use an Amazon Cognito authorizer for authentication. All the Lambda functions pass the user ID as part of the Authorization header to the API Gateway API. The API Gateway API returns a 403 status code for all GET requests. How should the developer resolve this issue?
Options
- AModify the client GET request to include a valid API key in the Authorization header.
- BModify the client GET request to include a valid token in the Authorization header.
- CUpdate the resource policy for the API Gateway API to allow the execute-api:Invoke action.
- DModify the client to send an OPTIONS preflight request before the GET request.
How the community answered
(39 responses)- A5% (2)
- B82% (32)
- C3% (1)
- D10% (4)
Explanation
When API Gateway uses a Cognito authorizer, it expects a valid JWT token (issued by Cognito) in the Authorization header - not a raw user ID. Passing just the user ID fails Cognito's token validation, causing the 403, so the fix is to pass the actual Cognito-issued token (B).
Why the distractors are wrong:
- A - API keys belong to Usage Plans, not Cognito authorizers; mixing these up is a classic trap.
- C - A resource policy controls which principals/IPs can reach the API at all; the request is already reaching the authorizer, so the 403 is an auth failure, not an access policy block.
- D - OPTIONS preflight is a CORS concept for browsers; Lambda-to-API Gateway calls don't require it, and it wouldn't fix an authorization failure anyway.
Memory tip: Think of the Authorization header like a bouncer's checklist - Cognito is the bouncer and only accepts a signed ticket (JWT token) from its own box office. Handing the bouncer your name (user ID) instead of the ticket gets you a 403 every time.
Topics
Community Discussion
No community discussion yet for this question.