13

I am relatively new to AWS and the beast. After working on API Gateway to Lambda proxy integration I am getting Execution failed due to configuration error: Invalid permissions on Lambda function

I followed below setup referred from really well documented terraform documentation and does exactly what was needed for me. But while testing on API Gateway console giving the above error.

resource "aws_lambda_permission" "apigw" {
    statement_id  = "AllowAPIGatewayInvoke"
    action        = "lambda:InvokeFunction"
    function_name = "${aws_lambda_function.resource_name.arn}"
    principal     = "apigateway.amazonaws.com"

    # The /*/* portion grants access from any method on any resource
    # within the API Gateway "REST API".
    source_arn = "${aws_api_gateway_deployment.resource_name_of_deployment.execution_arn}/*/*"
  }
Improve this question

2 Answers 2

Reset to default
15

Few learnings from API Gateway Lambda proxy integration

  • API Gateway is deployed in different stages and ARN for API gateway in stage vs on test console is somewhat different. (atleast thats what I got on terraform output)

As many documentations and fixes for the problem suggests to explicitly configure detailed path as "arn:aws:execute-api:region_name:account_id:${aws_api_gateway_rest_api.api_resource.id}/*/*" The configured source with granted access permission 

 arn:aws:execute-api:region:accountid:fu349z93pa/*/*

From terraform documentation For "${aws_api_gateway_deployment.deployment_rsc_name.execution_arn}"

The configured source with granted access permission is 

arn:aws:execute-api:region:accountid:fu349z93pa/stage/*/*

If you test from API Gateway console you would end up with same error and have to manually add permission to lambda or reselect lambda function name on method integration console (which does the same thing). That configures 2 API gateways to access Lambda. (one with /stage deployed ARN and other /*/METHOD/* - used for test console) Lambda console

But if you test API gateway from ARN of stage environment on postman it works just as fine without any manual updates to infrastructure built with terraform. And in most cases that is the one that would matter.

  • Even after fixing first error manually / not second challenge is Malformed response from lambda

This one is fairly easy and well documented. AWS Doc

All we have to do is update lambda to respond with a specified format.

for. e.g. add below

callback(null, { "statusCode": 200, "body" : JSON.stringify(sampleResponseJSON) }); on lambda `js`

Once it is working end to end we could always add error handling scenarios.

Hopefully, this should save some time for beginners like me.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the detailed response here. Simply changing the source_arn on the "aws_lambda_permission" as you suggest works.
5

So instead of using:

resource "aws_lambda_permission" "apigw" {
    ... ...
    source_arn = "${aws_api_gateway_deployment.resource_name_of_deployment.execution_arn}/*/*"
}

I use the replace method to remove the stage_name from the execution_arn:

resource "aws_lambda_permission" "apigw" {
    ... ...
    source_arn = "${replace(aws_api_gateway_deployment.resource_name_of_deployment.execution_arn, var.stage_name, "")}*/*"
}

And now everything works for me

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.