Custom domain for API Gateway returning 403
Solution 1
Here is the developer guide if you haven't seen it. http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
All you need to do is set up a CNAME with your DNS provider pointing at the CF distribution that API Gateway gives you. You won't be able to make API calls directly to the CF distribution. API Gateway maps the API/stage from the Base Path mapping you set up in API Gateway so only API calls directed at the domain name will work correctly.
Solution 2
You need to use host header in your request. Host should be your custom domain.
curl https://<cf-id>.cloudfront.net/myapi -H "Host: api.myapi.com"
Solution 3
In my case I had to add base path mapping.
Solution 4
In my case Legacy cache settings headers was the issue.
If you have selected Legacy cache settings in cloud-front behaviour In cloud-front distribution under behaviour-> Legacy cache settings-> Header drop down
After selecting value as None solved my problem

Comments
-
BBS 9 months
I am creating an api using API Gateway and Lambda. Using the url designated in the API Gateway Stage editor everything works fine; however, when I try and move to a custom domain I am running into some issues.
The first thing I tried was using a CNAME record in Route 53 straight from my domain onto the domain that I got from the API Gateway. That was returning some errors and I think it is the incorrect solution is that correct?
Next I tried the Custom Domain Names feature in API Gateway. My understanding is this will roll up a CloudFront distribution that I can then map onto from Route 53. When I created the custom domain and added a Domain Mapping it provides me with a url to what I assume is a CloudFront distribution. The link is returning a 403 response and no distribution has been made in CloudFront. What is a good way of debugging this problem?
-
Thiago Silva almost 5 yearsadding the Host header was the missing piece for me. I have an API key required for the APIG, and was already providing the x-api-key custom header, but without the Host header, the request was always forbidden when using cloudfront
-
Nate Barbettini almost 5 yearsThis is the real answer!
-
JamesQMurphy over 4 yearsNo, it's not. The whole point of using a custom domain is so that you can use it instead of using
cloudfront.net
. -
shrumm almost 4 yearsIt's useful to verify everything is working before connecting it to the 'real' domain.
-
bormansquirrel over 3 yearsYes, even if you don't want to have an extra bit in your url layout (e.g. api.mydomain.com/whatever), you will need to add a
/
base path mapping in order to make it work -
Steven about 2 yearsI tried with postman and this solved half of the problem. But you can't set Host header in AJAX requests, the browser does not let you. Is there a solution to this?
-
Fernando Piancastelli over 1 yearIn my case, adding this Host header with my desired api.example.com is what allowed my api.example.com Route 53 record to go through - I didn't touch my cloudfront console tab.
-
w33b 9 monthsThis does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
-
Jesse Barnum 9 monthsThis answer solved my problem.
-
Marcello Romani 9 monthsI wonder if it's possible to use an APIGW custom domain without a cloudfront distribution...
-
Marcello Romani 9 monthsAh, it depends on the endpoint type, Edge or Regional...
-
Ashish Karpe 8 monthsBty my I am getting {“message”:“Forbidden”} on my hosted domain name URL but when I open api endpoint my service is accessed. Note my api is open but my route 53 entry is in different aws account and my custom domain created for api and cloudfront are in different aws account