Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cross-account API Gateway Lambda authorizer with stage variable

0

It shows an "Invalid function ARN or Invalid uri" when I try to create a cross-account API Gateway Lambda authorizer with stage variable in Lambda function ARN. Does it mean stage variable is not supported in a cross-account use case?

Topics
ServerlessFront-End Web & MobileComputeNetworking & Content Delivery
Tags
Amazon API GatewayAWS Lambda
Language
English
asked a month ago87 views
1 Answer
1
Accepted Answer

Yes, stage variables are not supported in Lambda authorizer ARNs for cross-account configurations. This is a known API Gateway limitation.

Stage variables in Lambda URIs are resolved at runtime, but API Gateway validates the cross-account Lambda authorizer ARN at configuration time — before stage variables can be substituted. This is why you see "Invalid function ARN or Invalid uri" specifically in the cross-account scenario.

Workaround options:

Option 1: Use the full ARN directly

Hardcode the cross-account Lambda ARN in the authorizer configuration instead of using a stage variable:

arn:aws:lambda:us-east-1:ACCOUNT_ID:function:my-authorizer-function

Option 2: Use aliases instead of stage variables

If you need to point different stages at different versions of the authorizer, use Lambda aliases (e.g. dev, prod) and hardcode the alias ARN:

arn:aws:lambda:us-east-1:ACCOUNT_ID:function:my-authorizer-function:prod

Option 3: Same-account wrapper Lambda

Deploy a thin Lambda in the same account as API Gateway that proxies the authorization call to the cross-account function. This keeps the authorizer same-account (stage variables work) while the actual logic lives cross-account.

Also ensure the cross-account Lambda has a resource-based policy granting lambda:InvokeFunction to the API Gateway principal from the source account.

Ref: API Gateway Lambda authorizer documentation

answered a month ago
EXPERT
reviewed a month ago
  • Chao Ma
    a month ago

    Really appreciate the quick response and the workaround proposals are also helpful. But in option 2, I still need stage variable in ARN right? Otherwise I need to change the ARN then deploy to different stages instead of pointing to different functions dynamically.

  • meghana rajagopal
    a month ago

    You're correct — Option 2 only works if you're willing to configure each stage with its own hardcoded alias ARN as a static value, not dynamically. So stage dev would have its authorizer pointing to function:dev-alias and stage prod pointing to function:prod-alias — each configured separately, no stage variable involved. It removes the stage variable requirement but adds manual per-stage configuration.

    If you need truly dynamic routing across stages without reconfiguring per stage, Option 3 (same-account wrapper Lambda) is the only clean path. The wrapper Lambda in the same account can read the target cross-account ARN from an environment variable or SSM Parameter Store, keyed by stage context passed in the request. This gives you the dynamic behavior stage variables would have provided, while keeping the authorizer itself same-account where stage variables work normally.

  • Chao Ma
    a month ago

    Many thanks again, I'll consider option 3 because it's most close to what I want. I really hope AWS can support this use case, they can just delay the ARN validation until runtime when in a cross account case then there will be more flexible.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content