How do I troubleshoot Lambda authorizer errors for API Gateway?

Resolution

Verify that your invocation requests reach the Lambda function

Use Amazon CloudWatch to review your Invocations metric. If the metric shows a value, then your invocation requests reach the Lambda function.

If the Invocations metric doesn't show invocations, then check the Throttles metric for throttled invocation requests. To troubleshoot Lambda throttling, see How do I troubleshoot Lambda function "Rate exceeded" and "TooManyRequestsException" throttling errors?

Review the API Gateway execution logs to identify your error

To identify Lambda authorizer errors, turn on CloudWatch API logging and review the logs. Then, troubleshoot the issue based on the error message that you received.

Resolve the "Invalid permissions on Lambda function" error

If you receive the following error message, then the API Gateway API doesn't have permission to invoke the Lambda function:

"Execution failed due to configuration error: Invalid permissions on Lambda function"

When you create the Lambda authorizer on the API Gateway console, API Gateway automatically adds the necessary permissions to your Lambda function's resource-based policy. If you configure the Lambda authorizer with Infrastructure as Code (IaC) tools, such as AWS CloudFormation or AWS Cloud Development Kit (AWS CDK), then you must manually add the permissions.

Add the following permissions to your Lambda function's resource-based policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "xyz",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:your-region:accountID:function:function-name",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:your-region:accountID:API_ID/authorizers/AuthorizerID"
        }
      }
    }
  ]
}

Note: Replace your-region with your AWS Region, accountID with your AWS account ID, function-name with your Lambda function name. Also, replace API_ID with your API Gateway API ID and AuthorizerID with your Lambda authorizer ID.

To configure a cross-account Lambda authorizer, see Configure a cross-account API Gateway Lambda authorizer.

Resolve the "Unable to parse given policy" configuration error

If you receive the following error message, then there's an issue with your authorizer Lambda function:

"Execution failed due to configuration error: Unable to parse given policy"

To resolve this issue, complete the following steps:

1. Open the Lambda console.
2. In the navigation pane, choose Functions, and then select your authorization Lambda function.
3. Review your function's Code source. Make sure that your code is correct.
   Note: For valid examples, see Example REQUEST authorizer Lambda function and Example TOKEN authorizer Lambda function.
4. To make sure that your Lambda function works correctly, test the function.

Troubleshoot the "AuthorizationFailureException" error

If you receive the following error message, then you might have issues with your Lambda authorizer:

"Execution failed due to an authorizer error Tue Jan 01 04:59:40 UTC 2020 : AuthorizerFailureException"

To troubleshoot this issue, check your CloudWatch logs for authorization failures, code syntax errors, or timeout issues in your Lambda function.

Troubleshoot the "500 Internal Server Error" error

If you receive a "500 Internal Server Error" error message when you invoke your API Gateway HTTP API, then see Troubleshooting Lambda authorizers.

Note: If your Lambda authorizer doesn't respond within 10 seconds, then you also receive this error message.