When I invoke my AWS Lambda function from an Amazon API Gateway REST API, I get an "Invalid permissions on Lambda function" error.
Short description
If your API Gateway REST API invokes your Lambda function without Lambda invoke permission, then API Gateway returns the error "Invalid permissions on Lambda function".
If you set up CloudWatch logging for your REST API, then API Gateway also logs one of the following error messages:
- CloudWatch error message example for REST APIs with a Lambda integration:
"Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
Execution failed due to configuration error: Invalid permissions on Lambda function
Method completed with status: 500"
- CloudWatch error message example for REST APIs with a Lambda authorizer:
"Sending request to https://lambda.region.amazonaws.com/2015-03-31/functions/arn:aws:lambda:region:############:function:example-function/invocations
Execution failed due to configuration error: Invalid permissions on Lambda function
Execution failed due to configuration error: Authorizer error"
Resolution
To resolve these errors, do one of the following:
For more information, see API Gateway permissions model for invoking an API.
Note: If you receive a 401 Unauthorized error, then follow the instructions in Why do I get API Gateway "401 Unauthorized" errors after I create a Lambda authorizer?
Resolve Lambda integration errors
Add Lambda invoke permission to a REST API with a Lambda integration through the API Gateway console
Complete the following steps:
- Open the API Gateway console.
- On the APIs pane, choose the name of your REST API.
- On the Resources pane, choose the configured HTTP method.
- On the Method Execution pane, choose Integration Request.
- For Integration type, choose Lambda Function.
- Expand the Lambda Region dropdown list. Then, choose the AWS Region that your Lambda function is in.
- Choose the Lambda Function dropdown list. Then, choose the name of your Lambda function.
- Choose Save. Then, choose Deploy the API to add the Lambda invoke permission to your API.
Add Lambda invoke permission to a REST API with a Lambda integration through a CloudFormation template
Add the following code snippet to your CloudFormation template:
SampleApiPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !Ref ExampleLambdaFunction
Principal: "apigateway.amazonaws.com"
SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:example-api-id/*/example-method/example-resource"
Note: Replace the following in the preceding template:
The FunctionName value with the name of your Lambda function
The SourceArn value with the source Amazon Resource Name (ARN) of your API
Within the SourceArn value, example-api-id with your apiID
For more information on how to declare various CloudFormation template parts, see Template snippets.
Add Lambda invoke permission to a REST API with a Lambda integration through the AWS CLI
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Run the following add-permission AWS CLI command:
aws lambda add-permission \
--function-name "$FUNCTION_NAME" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/*/$METHOD/$RESOURCE" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction
Note: Replace the following in the preceding command:
The function-name value with the name of your Lambda function
The source-arn value with the source ARN of your API
The statement-id value with a statement identifier that uniquely identifies the statement
Resolve Lambda authorizer errors
Add Lambda invoke permission to a REST API with a Lambda authorizer through the API Gateway console
Complete the following steps:
- Create an IAM role for API Gateway that allows the lambda:InvokeFunction action. Then, copy the IAM role ARN to your clipboard.
- Open the API Gateway console.
- On the APIs pane, choose the name of your REST API.
- On the Authorizers pane, choose the configured Lambda authorizer. Then, choose Edit.
- For Lambda Invoke Role, enter the IAM role ARN that you copied to your clipboard.
- Choose Save. Then, choose Deploy the API.
Add Lambda invoke permission to a REST API with a Lambda authorizer through a CloudFormation template
Add the following code snippet to your CloudFormation template:
SampleApiAuthPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !Ref ExampleLambdaFunction
Principal: "apigateway.amazonaws.com"
SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:example-api-id/authorizers/example-auth-id"
Note: Replace the following in the preceding template:
The FunctionName value with the name of your Lambda function
Within the SourceArn value, example-api-id with your apiID
Within the SourceArn value, example-auth-id with your Lambda authorizer's authorizerId
Add Lambda invoke permission to a REST API with a Lambda authorizer through the AWS CLI
Run the following add-permission AWS CLI command:
aws lambda add-permission \
--function-name "$FUNCTION_NAME" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/authorizers/$AUTHORIZER_ID" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction
Note: Replace the following in the preceding command:
The function-name value with the name of your Lambda function
The source-arn value with the source ARN of your API
The statement-id value with a statement identifier that uniquely identifies the statement
Related information
Working with resource-based IAM policies in Lambda
How do I set up access logging for API Gateway?