CORS/403 status code but cors is enabled on function

Whenever I begin to use the AWS_IAM authorizer on my function, my api GET request - which is being made from a web client - receives a No 'Access-Control-Allow-Origin' header is present on the requested resource. and I’m getting a 403 status code. When I remove the aws_iam authorizer, the api request - made via the same web client - succeeds. So I’m pretty sure it’s not actually a cors error since I’ve double checked that my api has cors enabled. I’m not sure if I’m using the AWS Javascript SDK wrong or if I’m not generating proper roles for AWS_IAM in my serverless.yml config.

When I run the request from postman with my personal access keys from AWS, the request succeeds. When I console.log the keys from the AWS.config.credentials and use those in postman, the request receives an invalid token error message. Maybe I haven’t generated the proper role for my federated identity pool?

I’m using aws4 on the front-end to sign the request, and I use axios to make the request.

Any ideas?

Enabling cors in your serverless.yml only adds the OPTION method to the API Gateway. Your response still needs to include the CORS headers or you will see No 'Access-Control-Allow-Origin' header is present on the requested resource.

From the error code it seems like authentication is successful but authorization is failing. This is causing the API Gateway to respond with a 403 that isn’t including the CORS headers. I would start by looking at https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html to make sure you have everything setup correctly.