Learn how to provide API Gateway permission to invoke Lambda function(s).
You are watching: Execution failed due to configuration error: invalid permissions on lambda function
API Gateway endpoint can’t invoke Lambda with 5XX permission error.
When testing on API Gateway console, you see this error message:
Execution log for request d237e276-656e-11e9-aaff-51e803313fb3... truncatedDate : Sending request to https://lambda.function.urlDate : Execution failed due to configuration error: Invalid permissions on Lambda functionDate : Method completed with status: 500
Expected BehaviorPublished API on API Gateway is able to invoke AWS Lambda functions successfully.
Why didn’t it work? The reason is we have to explicitly specify the ARN of an IAM role for API Gateway to assume when invoking a Lambda function. If none is specified, resource-based permissions are needed.
Quoting AWS x-amazon-apigateway-integration Object document:
For AWS IAM role-based credentials, specify the ARN of an appropriate IAM role. If unspecified, credentials will default to resource-based permissions that must be added manually to allow the API to access the resource. For more information, see Granting Permissions Using a Resource Policy.
1. AWS Console
You can add a resource based policy for your API Gateway to invoke your Lambda function on AWS API Gateway console.
These are the steps to add a resource based policy. On API Gateway console, select your API then resources on left panel. Your API configuration menu will be displayed on the right like the image below.
Afterwards, choose the method you want to add a policy to. Select Integration Request item and the following menu will appear. Notice that there is a Lambda Function item in the middle, click the pencil icon on its right end to edit.
After the pencil icon is clicked, it will become an editable field. Once you click the check mark to the right of the field, there will be a popup with title ‘Add Permission to Lambda Function’ saying that ‘You are about to give API Gateway permission to invoke your Lambda function: Function-ARN’.
Once you click OK on the popup, a resource based policy will be added to Lambda function.Issues
Note that a resource based policy will be added each time you do the above steps even though it is the same policy.
Adding permission for API Gateway to invoke Lambda functions manually by clicking doesn’t scale well when we have more API endpoints. To minimize operational overhead, I recommend the following 2 methods.
2. Resource-based Policy
On the other hand, you can declare a permission entity in your yaml file. By adding a resource-based policy in your yaml file, a resource-based policy will be attached to your lambda function(s). The following is the AWS::Lambda::Permission entity that you need to add to your yaml file. Read more about Lambda Permission on AWS document.
Note that if you use resource-based policy, you will have to attach at least one per lambda function. There is still a chance that your policy size reaches 20KB limit.
YourLambdaFunctionName: Type: AWS::Serverless::Function Properties: ... YourAPIName: Type: AWS::Serverless::Api Properties: ...ApiGatewayInvokeLambdaPermission: Type: "AWS::Lambda::Permission" Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt - YourLambdaFunctionName - Arn Principal: apigateway.amazonaws.com SourceArn: !Join < "", < "arn:aws:execute-api:", "Ref": "AWS::Region", ":", "Ref": "AWS::AccountId", ":", !Ref YourAPIName, "/*/*/*" > >
You can use AWS Lambda CLI get-policy to check if the policy is attached successfully.
3. IAM Role
Another way is to create an IAM role that allows lambda:InvokeFunction action and trust API Gateway service apigateway.amazonaws.com.AWS IAM Console
Go to AWS IAM console and click Create Role. Afterwards, choose AWS service and Lambda.
Attach permissions policies that you need. Filter for AWS managed policy: AWSLambdaRole that allows lambda:InvokeFunction for all resources or specified Lambda functions. You can also attach other policies that you need such as CloudWatchLogsFullAccess in my case.
Tag your AWS IAM role for management purpose and click next to review. Give your role a name such as ApiGatewayInvokeLambdaRole and review the role that you are about to create. Edit Trust Relationships so that this role trusts apigateway.amazonaws.com.
These are all the steps needed to create a role on AWS console.AWS IAM CLI
You can use AWS IAM create-role and attach-role-policy command.Create role using the following trust relationship object.
aws iam create-role--role-name ApiGatewayInvokeLambdaRole--assume-role-policy-document ./trust-api-gateway.json
Then, attach AWSLambdaRole role policy.aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaRole--role-name ApiGatewayInvokeLambdaRoleIf you want to use CloudWatch for your API Gateway log, you can attach CloudWatchLogsFullAccess role policy too.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess--role-name ApiGatewayInvokeLambdaRoleAssign Role in YAML / JSONAfter creating a role using AWS console or CLI, assign the ARN of your role to the credential item in the x-amazon-apigateway-integration definition of your API yaml file. The ARN of your role looks like this: "arn:aws:iam::ACC_NUM:role/IAM_ROLE_NAME".
MyApi: Type: AWS::Serverless::Api Properties: StageName: Prod DefinitionBody: swagger: "2.0" basePath: "/Prod" schemes: - "https" paths: /myMethod: post: produces: - "application/json" responses: x-amazon-apigateway-integration: uri: # api-gateway-arn using Fn::Join responses: httpMethod: "POST" credentials: "arn:aws:iam::ACC_NUM:role/ApiGatewayInvokeLambdaRole" type: "aws_proxy"
SummaryI suggest using a resource-based policy or an IAM role to minimize operational overhead.
Thank you for reading!
Support Jun on Amazon US
Support Jun on Amazon Canada
If you are preparing for Software Engineer interviews, I suggest Elements of Programming Interviews in Java for algorithm practice. Good luck!
You can also support me by following me on Medium or Twitter.
See more: Car Parked Next To Lake Erie Into Ice Sculpture, Man Parks His Car Near Lake Erie, The Car Freezes
Feel free to contact me if you have any questions.