How do I resolve "Invalid permissions on Lambda function" errors that I receive from API Gateway REST APIs?

Short description

When your API Gateway REST API invokes your Lambda function without permission, you receive the "Invalid permissions on Lambda function" error.

If you set up CloudWatch logging for your REST API, then API Gateway also logs the following error message for REST APIs with a Lambda integration:

"Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
Execution failed due to configuration error: Invalid permissions on Lambda function
Method completed with status: 500".

For REST APIs with a Lambda authorizer, you receive the following error message:

"Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
Execution failed due to configuration error: Invalid permissions on Lambda function
Execution failed due to configuration error: Authorizer error".

To resolve this issue, you must add the Lambda Invoke permission to your REST API.

Note: If you receive a "401 Unauthorized" error, then see Why do I get API Gateway "401 Unauthorized" errors after I create a Lambda authorizer?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Add a Lambda Invoke permission to a REST API with a Lambda integration

You can use either the API Gateway console, an AWS CloudFormation template, or the AWS CLI to add the Invoke permission.

Note: You can also get the "Execution failed due to configuration error: Invalid permissions on Lambda function Method completed with status: 500" error message in the following scenarios:

• You try to invoke the API Gateway from the API Gateway test console.
• You invoke the API Gateway from a stage that's different from the stage that you named in the invocation URL.

To prevent this issue, use a wildcard (*) for the stage name in your CloudFormation template and AWS CLI command.

Use the API Gateway console

Complete the following steps:

1. Open the API Gateway console.
2. In the navigation pane, choose APIs, and then select your REST API.
3. Choose Resources, and then select the HTTP method.
4. Choose Method execution, and then choose Integration request.
5. For Integration type, choose Lambda function.
6. Expand the Lambda Region dropdown list, and then choose the AWS Region that your Lambda function is in.
7. Choose the Lambda function dropdown list, and then select your Lambda function.
8. Choose Save.
9. Choose Deploy the API.

Use a CloudFormation template

Add the following code snippet to your CloudFormation template:

SampleApiPermission:    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref ExampleLambdaFunction
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:{AWS::Region}:{AWS::AccountId}:example-api-id/*/example-method/example-resource"

Note: Replace FunctionName with the name of your Lambda function, SourceArn with your API Amazon Resource Name (ARN), and example-api-id with your API ID.

For more information, see CloudFormation template snippets.

Use the AWS CLI

Run the following add-permission command:

aws lambda add-permission   \--function-name "FUNCTION_NAME"   \
--source-arn "arn:aws:execute-api:API_GW_REGION:YOUR_ACCOUNT:API_GW_ID/*/METHOD/RESOURCE"   \
--principal apigateway.amazonaws.com   \
--statement-id STATEMENT_ID   \
--action lambda:InvokeFunction

Note: Replace FUNCITON_NAME with the name of your Lambda function, the example source ARN with your API ARN, and STATEMENT_ID with a statement identifier that uniquely identifies the statement.

To provide permission only for a specific stage, run the following command:

--source-arn "arn:aws:execute-api:API_GW_REGION:YOUR_ACCOUNT:API_GW_ID/STAGE_NAME/METHOD/RESOURCE"

Note: Replace the example source ARN with your API ARN and STAGE_NAME with your stage name.

Add a Lambda invoke permission to a REST API with a Lambda authorizer

You can use the API Gateway console, a CloudFormation template, or an AWS CLI command to add the Invoke permission.

Use the API Gateway console

Complete the following steps:

1. Create an IAM role for API Gateway, and then create a policy that allows the lambda:InvokeFunction action.
   Note: Note the IAM role ARN to use in a later step. For an example policy, see API Gateway permissions model for invoking an API.
2. Open the API Gateway console.
3. In the navigation pane, choose APIs, and then select your REST API.
4. Choose Authorizers, and then select the Lambda authorizer.
5. Choose Edit.
6. For Lambda Invoke Role, enter the IAM role ARN.
7. Choose Save.
8. Choose Deploy the API.

Use a CloudFormation template

Add the following code snippet to your CloudFormation template:

SampleApiAuthPermission:    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref ExampleLambdaFunction
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:{AWS::Region}:{AWS::AccountId}:example-api-id/authorizers/example-auth-id"

Note: Replace FunctionName with the name of your Lambda function, example-api-id with your API ID, and example-auth-id with your Lambda authorizer ID.

Use the AWS CLI

Run the following add-permission command:

aws lambda add-permission   \--function-name "FUNCTION_NAME"   \
--source-arn "arn:aws:execute-api:API_GW_REGION:YOUR_ACCOUNT:API_GW_ID/authorizers/AUTHORIZER_ID"   \
--principal apigateway.amazonaws.com   \
--statement-id STATEMENT_ID   \
--action lambda:InvokeFunction

Note: Replace FUNCITON_NAME with the name of your Lambda function, the example source ARN with your API ARN, and STATEMENT_ID with a statement identifier that uniquely identifies the statement.

Related information

Viewing resource-based IAM policies in Lambda

How do I set up access logging for API Gateway?