APIGateway throws 403 back when requesting API from one lambda to another on a different APIGateway endpoint

Question

I'm creating an Axios call to an API hosted on APIGateway with no Authorizer etc. I'm able to access the lambda via a direct postman request and also on the service lambda when it's ran in offline mode, such as:

https://localhost:3000/my/api

However when i run it on the dev stage:

12345.execute-api.eu-west-1.amazonaws.com/my/api

I'm getting a a 403: Forbidden error thrown back.

I've seen comments from other posts where they needed to append the staging environment at the end of the request but this isn't the case in this instance as it's just creating a default endpoint and all other lambdas within this service can be hit when ran on dev, it's just this one that makes a call to another APIGateway API.

The calling API is behind an authorizer with a wildcard policy so should allow all traffic and I'd like to reiterate, it works on both localhost and a direct call to the invoked api.

I'm wondering if it's something to do with the policies attached to it but I've set them all to be wildcarded as well so it should allow everything.

Any ideas would be really helpful, I've been wracking my brains over this all day.

Edit: The authorizer has no policy denying access to the API, same as the resource policy.

Answer 1

There are two common reasons why an API Gateway REST API with a Lambda authorizer returns a 403 error:

The Lambda authorizer function returns an AWS Identity and Access Management (IAM) policy document that explicitly denies access to the caller.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

The second reason will be, The API has an attached resource policy that explicitly denies access to the caller.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html

If both are in place, please update the question with those details.