Skip to content

Bug: sam local start-api omits HTTP API CORS headers on Lambda authorizer denial #9087

Description

@ageorgeh

Description:

When using a simple lambda authorizer with a sam local start-api CORS headers are only applied to successful authorizations

Steps to reproduce:

Follow the steps in this repo's README https://github.com/ageorgeh/aws-sam-repro

Observed result:

Also in the README

Expected result:

CORS headers from the authorizer as with live AWS http API Gateways

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: Linux - NixOS
  2. sam --version: 1.160.0
  3. AWS region: ap-southeast-2
{
  "version": "1.160.0",
  "system": {
    "python": "3.13.13",
    "os": "Linux-6.18.33-x86_64-with-glibc2.42"
  },
  "additional_dependencies": {
    "container_engine": "Docker(v29.5.2)",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_PACKAGE_PERFORMANCE",
    "SAM_CLI_BETA_UV_PACKAGE_MANAGER"
  ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    stage/needs-triageAutomatically applied to new issues and PRs, indicating they haven't been looked at.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions