By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I resolve "Invalid permissions on Lambda function" errors from API Gateway REST APIs?

5 minute read
0

When I invoke my AWS Lambda function from an Amazon API Gateway REST API, I get an "Invalid permissions on Lambda function" error.

Short description

If your API Gateway REST API invokes your Lambda function without Lambda invoke permission, then API Gateway returns the error "Invalid permissions on Lambda function".

If you set up CloudWatch logging for your REST API, then API Gateway also logs one of the following error messages:

  • CloudWatch error message example for REST APIs with a Lambda integration:
    "Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
    Execution failed due to configuration error: Invalid permissions on Lambda function
    Method completed with status: 500"
  • CloudWatch error message example for REST APIs with a Lambda authorizer:
    "Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
    Execution failed due to configuration error: Invalid permissions on Lambda function
    Execution failed due to configuration error: Authorizer error"

Resolution

To resolve these errors, do one of the following:

For more information, see API Gateway permissions model for invoking an API.

Note: If you receive a 401 Unauthorized error, then follow the instructions in Why do I get API Gateway "401 Unauthorized" errors after I create a Lambda authorizer?

Resolve Lambda integration errors

Add Lambda invoke permission to a REST API with a Lambda integration through the API Gateway console

Complete the following steps:

  1. Open the API Gateway console.
  2. On the APIs pane, choose the name of your REST API.
  3. On the Resources pane, choose the configured HTTP method.
  4. On the Method Execution pane, choose Integration Request.
  5. For Integration type, choose Lambda Function.
  6. Expand the Lambda Region dropdown list. Then, choose the AWS Region that your Lambda function is in.
  7. Choose the Lambda Function dropdown list. Then, choose the name of your Lambda function.
  8. Choose Save. Then, choose Deploy the API to add the Lambda invoke permission to your API.

Add Lambda invoke permission to a REST API with a Lambda integration through a CloudFormation template

Add the following code snippet to your CloudFormation template:

SampleApiPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref ExampleLambdaFunction
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:example-api-id/*/example-method/example-resource"

Note: Replace the following in the preceding template:
The FunctionName value with the name of your Lambda function
The SourceArn value with the source Amazon Resource Name (ARN) of your API
Within the SourceArn value, example-api-id with your apiID

For more information on how to declare various CloudFormation template parts, see Template snippets.

Add Lambda invoke permission to a REST API with a Lambda integration through the AWS CLI

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Run the following add-permission AWS CLI command:

aws lambda add-permission   \
--function-name "$FUNCTION_NAME"   \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/*/$METHOD/$RESOURCE"   \
--principal apigateway.amazonaws.com   \
--statement-id $STATEMENT_ID   \
--action lambda:InvokeFunction

Note: Replace the following in the preceding command:
The function-name value with the name of your Lambda function
The source-arn value with the source ARN of your API
The statement-id value with a statement identifier that uniquely identifies the statement

Resolve Lambda authorizer errors

Add Lambda invoke permission to a REST API with a Lambda authorizer through the API Gateway console

Complete the following steps:

  1. Create an IAM role for API Gateway that allows the lambda:InvokeFunction action. Then, copy the IAM role ARN to your clipboard.
  2. Open the API Gateway console.
  3. On the APIs pane, choose the name of your REST API.
  4. On the Authorizers pane, choose the configured Lambda authorizer. Then, choose Edit.
  5. For Lambda Invoke Role, enter the IAM role ARN that you copied to your clipboard.
  6. Choose Save. Then, choose Deploy the API.

Add Lambda invoke permission to a REST API with a Lambda authorizer through a CloudFormation template

Add the following code snippet to your CloudFormation template:

SampleApiAuthPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref ExampleLambdaFunction
      Principal: "apigateway.amazonaws.com"
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:example-api-id/authorizers/example-auth-id"

Note: Replace the following in the preceding template:
The FunctionName value with the name of your Lambda function
Within the SourceArn value, example-api-id with your apiID
Within the SourceArn value, example-auth-id with your Lambda authorizer's authorizerId

Add Lambda invoke permission to a REST API with a Lambda authorizer through the AWS CLI

Run the following add-permission AWS CLI command:

aws lambda add-permission   \
--function-name "$FUNCTION_NAME"   \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/authorizers/$AUTHORIZER_ID"   \
--principal apigateway.amazonaws.com   \
--statement-id $STATEMENT_ID   \
--action lambda:InvokeFunction

Note: Replace the following in the preceding command:
The function-name value with the name of your Lambda function
The source-arn value with the source ARN of your API
The statement-id value with a statement identifier that uniquely identifies the statement

Related information

Working with resource-based IAM policies in Lambda

How do I set up access logging for API Gateway?