Using Custom Authorizers with AWS Service Integrations

Question

I am trying to use a custom authorizer to return an id with restricted aws service access (as indicated by Approach 2 in the initial response in this forum post: https://forums.aws.amazon.com/thread.jspa?threadID=230067).  
  
I want to restrict the user to a List operation on specific S3 bucket/folder using the Javascript api in the browser.  
  
The docs   suggest that  
setting the method execution role to arn:aws:iam::**:user/** will enable the api method to use the current callers identity (which I assume is returned by the custom authorizer)  
  
However when I try and configure a method like this in the console I get the following error in a nice red box at the top of the console:  
**Caller provided credentials are only supported for Lambda, SNS, SQS, DynamoDB, and S3.**  
  
The AWS Service drop down is set to Simple Storage Service (S3).  
  
Why won't this work?

Answer

Note that the Exution Role should have been arn:aws:iam::\**:user/** not arn:aws:iam::**:user/** as shown below due to code formatting.  
  
Anyhoo, after returning to this and attempting to to define a new API action integrating with a AWS service from scratch I got the following message:  
  
 **AWS_IAM Auth type is required for AWS integrations with identity forwarding specified**  
  
Naturally searching for this statement generated absolutely nothing so in a rare moment of inspiration occasioned by a cup of coffee I tried:  
  
arn:aws:iam:::user/*  
  
And lo and behold the waters parted and the save button worked!

Using Custom Authorizers with AWS Service Integrations

Relevant content