- Newest
- Most votes
- Most comments
Please add a resource-based policy to the Lambda function that allows the lambda:InvokeFunction action from the principal apigateway.amazonaws.com. You can do this manually in the AWS Lambda console or through AWS CLI.
Please create an IAM role that API Gateway will assume when calling the cross-account Lambda function. This role should have a trust relationship with apigateway.amazonaws.com and include a policy that allows lambda:InvokeFunction on the external Lambda function.
In myserverless.yml, specify the ARN of the external Lambda function in the authorizer.arn field as you've done. Include the ARN of the IAM role created in the previous step. This might involve using a custom authorizer configuration with the authorizerUri property under the x-amazon-apigateway-authorizer extension.
I figured it out, serverless documentation (v3.38.0) claimed to support my use case but it did not (there was no actual way to specify that I have an externally managed lambda function for websockets). I'm submitting a contribution to enable what I'm trying to do, should be a one liner.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Hi Jagan, does this policy seem correct?
aws lambda add-permission
--function-name "arn:aws:lambda:us-east-2:AccountIdForTheAccountThatHasExternalAuthorizer:function:AuthorizerNameGoesHere"
--source-arn "arn:aws:execute-api:us-east-2:MyAccountIdHereContainingTheServerlessApp:*"
--principal apigateway.amazonaws.com
--statement-id "GrantAPIGatewayCrossAccountInvokePermission"
--action lambda:InvokeFunction
Looking into the other things, but if the second thing you mentioned needs to be manually done outside of serverless framework per-deploy, i fear it defeats my purpose