By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I troubleshoot permissions errors from API Gateway HTTP APIs with a Lambda integration or Lambda authorizer?

4 minute read
0

When I try to invoke my AWS Lambda function with an API Gateway HTTP API, I get an "Internal Server Error" message. In my Amazon CloudWatch Logs, I see either a "doesn't have permissions to call the integration" or "doesn't have permissions to call the authorizer" error.

Short description

If an API Gateway HTTP API tries to invoke a Lambda function without Lambda invoke permission, then API Gateway returns an "Internal Server Error" message. If you activated CloudWatch logging for your HTTP API, then API Gateway also logs one of the following error messages in your access logs:

  • For HTTP APIs with a Lambda integration: "integrationError": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."
  • For HTTP APIs with a Lambda authorizer: "authorizerError": "The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again."

To resolve these errors, take one of the following actions:

Use the API Gateway console or AWS Command Line Interface (AWS CLI) to add a resource-based Lambda invoke permission to your HTTP API.

-or-

Configure an AWS Identity and Access Management (IAM) execution role that grants your HTTP API permission to invoke your function. For more information, see API Gateway permissions model for invoking an API.

For more information on troubleshooting errors when using Lambda integrations with HTTP APIs, see Troubleshooting issues with HTTP API Lambda integrations.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Use the API Gateway console to add Lambda invoke permission to an HTTP API with a Lambda integration

  1. Open the API Gateway console.
  2. On the APIs pane, choose the name of your HTTP API.
  3. In the left navigation pane, choose Integrations.
  4. Choose Manage integration.
  5. Find the name of your Lambda integration, and then choose the Edit button next to the name of your Lambda integration.
  6. For Invoke permissions, choose Grant API Gateway permission to invoke your Lambda function.
    Or, provide the IAM role ARN that API Gateway can use to invoke the Lambda function.
  7. Choose Save, and then choose Deploy the API to add the Lambda invoke permission to your API.

Use AWS CLI to add Lambda invoke permission to an HTTP API with a Lambda integration

Run the following add-permission AWS CLI command:

aws lambda add-permission \
--function-name "$YOUR_FUNCTION_ARN" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/*/$METHOD/$RESOURCE" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction

Note: Replace the function-name value with your Lambda function's ARN. Replace the source-arn value with the source ARN of your API. Replace the statement-id value with a statement identifier that differentiates the statement from others in the same policy.

Use the API Gateway console to add Lambda invoke permission to an HTTP API with a Lambda authorizer

  1. Open the API Gateway console.
  2. On the APIs pane, choose the name of your HTTP API.
  3. In the left navigation pane, choose Authorization.
  4. Choose Manage authorization.
  5. Find the name of your Lambda authorizer, and then choose the Edit button next to the name of your Lambda authorizer.
  6. For Invoke permissions, choose Automatically grant API Gateway permission to invoke your Lambda function.
    Or, provide the IAM role ARN that API Gateway can use to invoke the Lambda function.
  7. Choose Save, and then choose Deploy the API to add the Lambda invoke permission to your API.

Use AWS CLI to add Lambda invoke permission to an HTTP API with a Lambda authorizer

Run the following add-permission AWS CLI command:

aws lambda add-permission \
--function-name "$YOUR_FUNCTION_ARN" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/authorizers/$AUTHORIZER_ID" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction

Note: Replace the function-name value with your Lambda function's ARN. Replace the source-arn value with the source ARN of your API. Replace the statement-id value with a statement identifier that differentiates the statement from others in the same policy.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago