Unable to set CORS headers when there is a unhandled Lambda exception

[talawahtech]

Description

If I create a AWS::Serverless::Function that is triggered by an API Gateway event, and an unhandled exception occurs in my code, the error message sent back to the user is a 502 Bad Gateway error from the API Gateway. Unfortunately this error message doesn't have any CORS headers by default, so if the webpage that called the endpoint is not on the same domain as the API Gateway, a CORS error will also be triggered in the browser.

Previously when I used the serverless framework I would address this issue by creating a CloudFormation resource to set the DEFAULT_5XX Gateway Response for that particular API. For some reason doing so doesn't seem to have any effect for APIs created using sam-cli.

Steps to reproduce

1. Create a AWS::Serverless::Function with an event of type Api and throw an exception when the function is called.

2. Add the following resource to template.yaml

  GatewayResponseDefault5XX:
    Type: 'AWS::ApiGateway::GatewayResponse'
    Properties:
      ResponseParameters:
        gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
        gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
      ResponseType: DEFAULT_5XX
      RestApiId: !Ref ServerlessRestApi

Observed result

No CORS headers are present on the 502 response from the API endpoint

Expected result

CORS headers should be present on the 502 response from the API endpoint

I am not sure if this has something to do with the fact that sam-cli uses embedded swagger templates when defining the RestApi, but that would be my first guess. I am just looking for a way to address the issue, even if it is another workaround

[eulogio-gutierrez]

Hi talawahtech,

I had a similar issue recently and I noticed that the CORS headers, when added using GatewayResponses on a Aws::Serverless::Api are present only if I manually re-deploy the api.

A second option might be to add the GatewayResponses to your aws::serverless::api resource (I guess you're using this type?), as per this sam release: https://github.com/awslabs/serverless-application-model/releases/tag/v1.11.0 (as in this example: https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/api_gateway_responses/template.yaml). This, however, doesn't currently validate, and raises an InvalidResourceException (see these issues: aws/serverless-application-model#939, and #1198).

I hope this helps

[pkingston-dbg]

I have also encountered this issue, and only had limited success with eulogio-gutierrez's suggestion of rolling the config into the Api resource.

When updating an already-deployed application which detects a change to an AWS::Serverless::Api, it does not include the AWS::ApiGateway::GatewayResponse unless there is also a change to that object. My initial deployment would include the header values, but then any subsequent deployment that included a AWS::ApiGateway::Deployment, wiped the header values out.

[PaulMaas]

This seems to be supported in SAM, but not in SAM-CLI. Is that correct? Is there a resource that shows what SAM-CLI can and can't do with respect to SAM? I spent hours trying to get GatewayResponses to work locally with SAM-CLI...

Are there plans to add support for this to SAM-CLI?

[larsschieffer]

Any progress about this issue? I think that I'm currently facing the same issue as @PaulMaas.

I will appreciate any information 👍