使用serverless-domain-mananger的API网关返回403错误

当我使用自定义域https://api-dev.testapp.net时：

OPTIONS https://api-dev.testapp.net/dev/locations 403 ()

Failed to load https://api-dev.testapp.net/dev/locations: Response to 
preflight request doesn't pass access control check: No 'Access-Control- 
Allow-Origin' header is present on the requested resource. Origin 
'https://xxxxx0f67xxxxxe7963c04cxxxxx23bf.vfs.cloud9.us-east- 
1.amazonaws.com' is therefore not allowed access. The response had HTTP 
status code 403. If an opaque response serves your needs, set the 
request's mode to 'no-cors' to fetch the resource with CORS disabled.

我已经设置了一个API，其中每个路径都是一个微服务，都指向一个自定义域名 . 每个阶段也有不同的域 .

我使用cognito进行用户身份验证，据我所知，身份验证功能正常 .

这是我的serverless.yml的示例

service: testapp-location
plugins:
  - serverless-domain-manager

custom:
  stage: ${opt:stage, self:provider.stage}
  domains:
    prod: api.testapp.net
    test: api-test.testapp.net
    dev: api-dev.testapp.net

customDomain:
  basePath: "locations"
  domainName: ${self:custom.domains.${self:custom.stage}}
  stage: "${self:custom.stage}"
  createRoute53Record: true

package:
  include:
    - models

provider:
  name: aws
  runtime: nodejs6.10
  stage: ${opt:stage, 'dev'}
  environment:
    DATABASE_HOST: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_HOST}
    DATABASE_NAME: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_NAME}
    DATABASE_USERNAME: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_USERNAME}
    DATABASE_PASSWORD: ${file(../../config/api/${self:provider.stage}.config.json):DATABASE_PASSWORD}
  region: us-east-1

我已确认路由53条目已设置并指向Cloudfront分发 . 还会设置基本路径映射，并且自定义域具有附加到它们的有效TLS证书 .

事情应该有效，但我想我需要一手调试这个 . 任何帮助，将不胜感激 .

Edit 1 ：当我使用API网关生成的URL（例如OPTIONS https://nnxxxxxe1d.execute-api.us-east-1.amazonaws.com/dev/locations）而没有添加标头时，请求成功 . 这是有道理的，因为此 endpoints 上没有授权程序，并且它具有硬编码的200响应正文 .

Edit 2 ：当我在Postman中运行请求（OPTIONS https://api-dev.testapp.net/dev/locations）时，我收到以下响应：

Connection →keep-alive
Content-Length →23
Content-Type →application/json
Date →Thu, 26 Jul 2018 13:40:59 GMT
Via →1.1 b790a9f06b094xxxxxxxxb87e81d4b7f.cloudfront.net (CloudFront)
X-Amz-Cf-Id →3M9kxxxxxxxxlW9Fos_lZqw-lGdPp9MCI7xFIS2-LcXpjGNolsT7jA==
X-Cache →Error from cloudfront
x-amz-apigw-id →Ko1xxxxxxxxF1LA=
x-amzn-ErrorType →ForbiddenException
x-amzn-RequestId →881153c6-90d9-11e8-8d65-738000007497

这让我觉得问题在于CloudFront拒绝请求 .