CorsConfiguration - Amazon Serverless Application Model
SyntaxPropertiesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CorsConfiguration

Manage cross-origin resource sharing (CORS) for your API Gateway APIs. Specify the domain to allow as a string or specify a dictionary with additional Cors configuration.

Note

CORS requires Amazon SAM to modify your OpenAPI definition. Create an inline OpenAPI definition in the DefinitionBody to turn on CORS. If the CorsConfiguration is set in the OpenAPI definition and also at the property level, Amazon SAM merges them. The property level takes precedence over the OpenAPI definition.

For more information about CORS, see Enable CORS for an API Gateway REST API Resource in the API Gateway Developer Guide.

Syntax

To declare this entity in your Amazon Serverless Application Model (Amazon SAM) template, use the following syntax.

YAML

  AllowCredentials: Boolean
  AllowHeaders: String
  AllowMethods: String
  AllowOrigin: String
  MaxAge: String

Properties

AllowCredentials

Boolean indicating whether request is allowed to contain credentials.

Type: Boolean

Required: No

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

AllowHeaders

String of headers to allow.

Type: String

Required: No

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

AllowMethods

String containing the HTTP methods to allow.

Type: String

Required: No

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

AllowOrigin

String of origin to allow. This can be a comma-separated list in string format.

Type: String

Required: Yes

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

MaxAge

String containing the number of seconds to cache CORS Preflight request.

Type: String

Required: No

Amazon CloudFormation compatibility: This property is unique to Amazon SAM and doesn't have an Amazon CloudFormation equivalent.

Examples

CorsConfiguration

CORS Configuration example. This is just a portion of an Amazon SAM template file showing an AWS::Serverless::Api definition with CORS configured and a AWS::Serverless::Function. If you use a Lambda proxy integration or a HTTP proxy integration, your backend must return the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers.

YAML

Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Cors:
        AllowMethods: "'POST, GET'"
        AllowHeaders: "'X-Forwarded-For'"
        AllowOrigin: "'https://example.com'"
        MaxAge: "'600'"
        AllowCredentials: true
  ApiFunction: # Adds a GET method at the root resource via an Api event
    Type: AWS::Serverless::Function
    Properties:
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /
            Method: get
            RestApiId:
              Ref: ApiGatewayApi
      Runtime: python3.10
      Handler: index.handler
      InlineCode: |
        import json
        def handler(event, context):
          return {
          'statusCode': 200,
          'headers': {
            'Access-Control-Allow-Headers': 'Content-Type',
            'Access-Control-Allow-Origin': 'https://example.com',
            'Access-Control-Allow-Methods': 'POST, GET'
            },
          'body': json.dumps('Hello from Lambda!')
          }