11

I am using AWS API Gateway with a proxy Lambda, when the name of the lambda function is coming as a stage variable. Meaning I have a single API integration which connects to appropriate lambda according to the deployed stage. See the general idea here: enter image description here

When I test one of my stages (called: "staging") everything works fine, but when testing the other stage ("production") I get the error "Execution failed due to configuration error: Invalid permissions on Lambda function".

Things I already tested and verified:
1. Both lambdas which should be invoked by the API work well and as expected when tested from the Lambda dashboard.
2. I've made sure (many times) that I've given permission to the API gateway to invoke my lambda function (i.e. executed "aws lambda add-permission..."). I've validated the policy afterwards many times (i.e. executed "aws lambda get-policy...").

Any idea what else I can check ? What I might have forgotten here ? Thanks.

enter image description here

Improve this question

5 Answers 5

Reset to default
10

I had the same interesting problem. WHen you create API you might have accidentally entered the name of lambda function before creating it. Then after creating of lambda - the name will be displayed properly but it will not be connected or granted permissions.

Try:

  1. deleting the lambda you entered from api gateway
  2. reenter from dropdown desired lambda function using dropdown.

enter image description here

  1. if AWS asks you for granting executoin permission of lambda - BINGO., should be working now.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, It works. I made gate way's api method first. then made lambda functions. I suspect that was the problem.
7

Permissions to invoke the Lambda function are not automatically created when the Lambda function is specified in a stage variable. You need to do this manually:

aws lambda add-permission --function-name arn:aws:lambda:eu-west-1:111111111111:function:some-function:default --source-arn arn:aws:execute-api:eu-west-1:111111111111:xxxxxxxxxx/* --principal apigateway.amazonaws.com --statement-id 88b42004-f504-44d5-9adf-d027ee65a890 --action lambda:InvokeFunction

(You need to replace the region, your lambda function name and your account number, as well as the api-gateway ARN in this statement.)

Improve this answer

3 Comments

Thanks for the reply Digitalkapitaen but as I stated in my original question - "I've made sure (many times) that I've given permission to the API gateway to invoke my lambda function (i.e. executed "aws lambda add-permission...")".
I am sure that you did this with a lot of care. However, your own answer to the question obviously shows that the permissions were not set correctly. I think flagging this answer as not useful is problematic, as setting the right permissions are the solution to the problem you stated in your question.
The problem was of course a permission issue related (this is clear from the question itself - "...Invalid permission...") but this specific answer is unfortunately not helpful. Manually setting the permission with this command simply doesn't work. I believed the answer was not helpful because I specifically stated that I used this command in my original question ("aws lambda add-permission") so basically the answer just repeats a part of the question. With that said maybe I was too hasty to do so and maybe the answer could be useful to somebody else in a different scenario.
1

Couldn't find the reason but found a workaround which solved the problem. Instead of using $stageVariables as the Lambda function name, I explicitly wrote the names of the Lambda function I will be using one by one. This way AWS will give permission to the Lambda functions automatically (for each one u explicitly write). After that you can edit the integration back to using stage variables.

enter image description here

Improve this answer

1 Comment

Was a known bug, but now it's apparently fixed: github.com/awslabs/aws-apigateway-importer/issues/9
0

I also encountered similar issue. I was driving the entire infra through CFT. Despite adding "AWS::Lambda::Permission", the issue still persisted. Then, I added property CredentialsArn in AWS::ApiGatewayV2::Integration. This is an explicit role which needs to be provided to Principal "Service: apigateway.amazonaws.com" for Action: "lambda:InvokeFunction" to the needed Lambda resources. This helped me in the connection establishment. BTW: I was creating API Gateway WebSockets

Improve this answer

Comments

0

For me the issue was related to using an AutoPublishAlias of :live on my function. I had to create the integration and the permission using the alias. You can visually see this too when you view Resource-based policy statements in the console too. You may see one on the top level function vs the alias it self. Either way, here is my full example where :live is my alias. Focus on IntegrationUri and FunctionName.

WSIntegration:
  Type: AWS::ApiGatewayV2::Integration
  Properties:
    ApiId: !Ref WSApi
    IntegrationType: AWS_PROXY
    IntegrationUri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${RailsLambda.Arn}:live/invocations

WSPermission:
  Type: AWS::Lambda::Permission
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !Sub "${RailsLambda}:live"
    Principal: apigateway.amazonaws.com
    SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${WSApi}/*

Note, the SourceArn demonstrates a better security model than you find on most AWS::Lambda::Permission examples. If you do ClickOps™ in the Console, this is how AWS does it too. Just limit to a specific API Gateway resource vs. all of them. Cheers y'all.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.