TIL that APIGW can intercept Authorization header values
VPC endpoint policies can be used to restrict access to a private API gateway.
When a VPC endpoint policy is configured, API gateway intercepts the
Authorization header value to evaluate the identity of the request's invoker.
This can cause errors when your applications behind the API gateway expect to
receive the same Authorization header. Any requests to the API gateway via the
VPC endpoint will return a 403 IncompleteSignatureException or 403 InvalidSignatureException error as API gateway thinks it received an invalid
Authorization header value, even when no custom authorizer is configured.
# Debugging the Error
When I first encountered this error, I assumed it was an issue with the APIGW
resource
policy. So I set the resource policy to the default allow *. That didn't work. Next, googling the error message landed me on this troubleshooting
page, which was not very useful.
According to the page's table, the two errors I encountered either means the request's auth token expired or the request's signature is invalid, which is baffling since I didn't configure any form of authorization on the APIGW.
# The solution
Annoyingly, the solution is found in the VPC endpoint policy
section.
With a non-default VPC endpoint policy, APIGW will always evaluate the
Authorization header, even when there's no custom authorizer configured to
process it.
There are two cases where the header is NOT evaluated by APIGW:
NONEauthorizationType with a default full access (VPC endpoint) policyCUSTOM(Lambda authorizer) orCOGNITO_USER_POOLSauthorizationType
Alternatively, another solution would be to use a different header for authorization in your application, something less universal, so it won't be evaluated by APIGW.