I have an API written in python/chalice deployed as a Lambda which gets called from a web app. I thought I had the usual CORS issues fixed, at least, things are working with no problems and have done for a while. Being a good boy I decided it was time to move some hardcoded credentials out of the code into AWS Secrets Manager. Everything is still working well in my local environment (probably because both the API and app are on localhost) with the credentials correctly pulled out of Secrets Manager. However, when I deploy the API the web app is now a reporting CORS error:
Access to XMLHttpRequest at 'https://api' from origin 'https://webapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I've tracked the source of the problem down to my call to boto3.session.Session().client().get_secret_value(). If I don't make this call - no CORS errors.
Here's the relevant snippet of my API code:
@app.route('/get/table', methods=['GET'], cors=True)
def GetTable():
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name="eu-west-2"
)
get_secret_value_response = client.get_secret_value(SecretId="prod/xxxx")
So, what's going wrong? Am I missing something simple?