By using AWS re:Post, you agree to the Terms of Use

500 Error from API Gateway URL on Lambda Integration, Works Fine from AWS Console


I'm working on an API Gateway -> Lambda integration for a client.

Everything works fine from the AWS Console. I can click on test, paste the JSON payload into the window, and it submits just fine and runs the lambda function.

When I try using Postman to the URL, I get a 500 error and CloudWatch says "Execution failed due to a configuration error: Invalid permissions on Lambda function."

The function has policy attached that allows access from Principal, with a Source ARN filter that is of the format arn:aws:execute-api:us-east-1:{acctid}:{apiid}/*/POST/{path}

From what I can tell, it should be valid. I've tried removing the source arn filter completely, or putting *'s in the method and path to no avail.

What makes it worse is I did get it to work for a few seconds after tweaking the Source ARN filter, ran into a payload parsing issue in the Lambda, redeployed and I'm back to where I was. I can't reproduce my momentary success.

I have no idea how it is possible at this point for the ARN format to actually be wrong. I've validated it numerous times, I can see what the SourceArn is in the CloudWatch logs.

Is it possible that there is some sort of an AWS Organizations that can specifically block inbound API Gateway requests from reaching a Lambda? (And if so, why would it momentarily fail and have allowed some access?)

Other than that, I am completely out of ideas. I'm beating my head against the wall on this one. Does anyone have suggestions on what else to check?

2 Answers

Certainly the permission looks correct; and as you say you can substitute POST with * and it should still work. Going into API Gateway and re-selecting the Lambda function as a target will replace the permissions so that's worth a try.

is it possible there are some guardrails in your account that are "remediating" your configuration? Yes. But from this distance it's not possible to tell for sure. CloudTrail will show changes in the account so it might be worth looking there to see if any changes are showing up.

Other than that: Create a support ticket. The support team has the ability to see what is running in the account and what is happening.

answered a month ago

Yes the source ARN looks correct.

Just to be sure, you are running out of us-east-1 right? As that is in your ARN. Also the action is set to lambda:InvokeFuction?

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions