x-amzn-ErrorType: IncompleteSignatureException

Hey, I have a APIGW with a Cognito authoriser, endpoint works without the authoriser, when hitting / I get my Hello World! message, however, attaching the authoriser, I get a not a valid key=value pair (missing equal-sign) in Authorization header error, and inspecting the response headers:

x-amzn-ErrorType: IncompleteSignatureException```

Googling this error, it seems it could be related to a number of things, but I wanted to see if you guys have come across this before and maybe point me in the right direction.

where are you seeing that error?

In my response when calling my URL


--header 'Authorization: Bearer xxxx'```

that probably points to an invalid bearer token being sent

So I’m using Postman and using the OAuth 2.0 Auth setting to generate a token, this loads up Cognito’s hosted UI where I login and then Postman uses that token, so I’m unsure how it can be incorrect?

The token itself also appears to be valid.

how do you know the token is valid?

Because it’s what AWS’s hosted UI provides (it also provides me with the correct information when decoding it).

let’s validate that assumption, try out https://jwt.io/ and let me know if it tells you if it is valid

Yea, that’s what I did and it’s valid:

  "sub": "fa075e19-dage-4r82-1ab1-52d2c5f5f7ed",
  "iss": "<https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_xxxx>",
  "version": 2,
  "client_id": "xxxx",
  "event_id": "d29f5fbd-07e2-4b0e-9f1c-bab295f7e34x",
  "token_use": "access",
  "scope": "openid email",
  "auth_time": 1690305370,
  "exp": 1690308970,
  "iat": 1690305370,
  "jti": "61fbff83-45fe-4448-b315-47cde7e2d466",
  "username": "fa075e19-dage-4r82-1ab1-52d2c5f5f7ed"

sounds like you might need to file a support ticket

Strangely :

<https://xxx.execute-api.eu-west-2.amazonaws.com/xxx/account> works (if I configure the Lambda code to accept /account.

<https://xxx.execute-api.eu-west-2.amazonaws.com/xxx> doesn’t work and I get that same error.

It’s like it doesn’t work at root level for some reason

should it work at the top level?

Do you have a / route defined in your api gateway?

or aleast the prefix /account set up in Gateway so I can call <http://api.mydomain.com/account|api.mydomain.com/account> in the future and it will load up the lambda.

and does throwing a trailing / on there work?

I’d be careful about testing the execute uri directly and directly start testing with the custom domain, there are definitely some gotchas with cognito

Nope, I tried the / but that also doesn’t work