Hi all, I need help. I'm days into troubleshooting 403 responses from the /$connect endpoint on api gateway. I think that I've narrowed down the issues to IAM policy settings, and I'm pretty sure I either configured or didn't configure something correctly.
When assigning permissions to the lambda using the aws-cli I see the following response:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
aws lambda add-permission --function-name arn:aws:lambda:{region}:{account-id}:function:{function-name} --action lambda:InvokeFunction --statement-id "ws-connect" --principal apigateway.amazonaws.com --source-arn "arn:aws:execute-api:{aws-region}:{account-id}:{api-id}/*/$connect" --profile {aws-config-profile} --region {aws-region}
{
"Statement": "{\"Sid\":\"ws-connect\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:{region}:{account-id}:function:{function-name}\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:{region}:{account-id}:{api-id}/*/\"}}}"
}
However when checking the lambda dashboard shortly afterwards, I see the following when I click on the API Gateway trigger icon:
arn:aws:execute-api:{region}:{account-id}:{api-id}/*/
The API with ID {api-id} cannot be found
The Route Request settings for my $connect endpoint has the following settings:
Authorization: None
API Key Required: false
The Integration Request for my $connect endpoint has the following settings:
Type: Lambda Function
Use Proxy Integration: false
Lambda Region: {set to my region}
Lambda Function: {set to my function}
Invoke with caller credentials: {Not accessible, disabled}
Execution Role: {set to an IAM role with the bellow policies}
- AmazonAPIGatewayInvokeFullAccess - AWS managed policy
- AWSLambdaRole - AWS managed policy
- AWSLambdaVPCAccessExecutionRole - AWS managed policy
- AWSLambdaBasicExecutionRole-{some-id} - assuming this was auto generated
Use Default Timeout: true
The Integration response for my $connect route is configured.
For simplicity assume my connection lambda returns a simple response.
{status: 200, connectionId: event.requestContext.connectionId}
In actuality, the lambda is coded to communicate to an ec2 instance over http. When testing the lambda, I see updates in the apache logs receiving the request with whatever data I'm sending, and its returning the response ok. I also see the expected CloudWatch logs.
I use signed url's generated by the npm @aws-amplify/core Signer class. With authorization disabled at my $connect endpoint, the extra query params don't effect my request any, and I'd expect the query params to be passed through to the lambda. I can connect perfectly using npm wscat with or without the signed url's when I don't have an Integration Request set. However, after setting the Integration Request to use my Lambda, I can't connect anymore. This leads me to believe that there is something wrong with the roles/policies I have configured.
One last quick point, is that within CloudWatch I do see logs from the lambda I have assigned to the /$disconnect route. It has the exact same permission and vpn configuration as the $connect route has.
Any help would be appreciated in pointing me to the right direction, or helping me figure out why I'm unable to use a lambda integration with the $connect route.