- Newest
- Most votes
- Most comments
I found the issue by replicating the setup with a new API serving the same function with the same JWT. It was an incorrectly linked default stage - it was linked as "default" instead of "$default". Recreating it was not giving desired result, so killing the API completely and re-configuring from the scratch did the job. The final policies are: Resource-based policy: { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "b628c89b-e99c-5ec3-b742-0381a6e7bee9", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:1234567890:function:jwt-auth-20-2-JWTFunction-CcYhy6uvwbTN", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:execute-api:eu-west-1:1234567890:raqr7jh0j1/authorizers/fb1vn0" } } } ] }
Role policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
Trust: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Hello @Blade1024
To troubleshoot errors, enable access logging for your API stage. Include the $context.authorizer.error logging variable in your log format.
If the logs indicate that API Gateway doesn't have permission to invoke your function, update your function's resource policy or provide an IAM role to grant API Gateway permission to invoke your authorizer. refer- https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html Review your API Gateway execution logs. If you see an error message similar to Invalid permissions on Lambda function, missing permissions are causing the error. For more information, see How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?
refer- https://repost.aws/knowledge-center/api-gateway-lambda-stage-variable-500
Please take a look here. https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations To resolve the error you may need to use the API Gateway console to add a resource-based Lambda invoke permission to your HTTP API or or Configure an AWS execution role that grants your HTTP API permission to invoke your function. For more information, see API Gateway permissions model for invoking an API. https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-iam-permissions-model-for-calling-api For more information on troubleshooting errors when using Lambda integrations with HTTP APIs, see Troubleshooting issues with HTTP API Lambda integrations. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-troubleshooting-lambda.html
If there are any further questions feel free to ask. If this answer is satisfactory to you please mark it as accepted. Thanks!
Thank you for replying. I indeed found the same resources and it doesn't contradict to what you have sent. If I may, I want to sum up my understanding of the setup:
- There are no policies on the API HTTP GW in respect to the lambda functions configured directly in the API GW. All policies are attached to the lambda itself via role.
- On the lambda level, there are two policy types: one for itself to regulate resources that it can access and another one who is trusted to invoke it.
Now, if I got everything right, I have a role jwt-auth-20-1-JWTFunctionRole-1SJU2Z3U0DVHQ, that has a basic execution policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
and in a trust relationships tab, I defined a trust to execute allowing API GW to fire it up: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
And this role has been attached to the JWT lambda. The log message clearly states that there is a permission issue: {"accountId":"12345678","apiId":"a5osmfbrk7","authorizer_claims_property":"-","authorizer_error":"The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again.","authorizer_principalId":"-","authorizer_property":"-","awsEndpointRequestId":"-","awsEndpointRequestId2":"-","customDomain_basePathMatched":"-","dataProcessed":"483","domainName":"a5osmfbrk7.execute-api.eu-west-1.amazonaws.com","domainPrefix":"a5osmfbrk7","error_message":"Internal Server Error","error_messageString":" "Internal Server Error"","error_responseType":"AUTHORIZER_CONFIGURATION_ERROR","extendedRequestId":"KBGfKgdFDoEEJ3A=","httpMethod":"GET","identity_accountId":"-","identity_caller":"-","identity_cognitoAuthenticationProvider":"-","identity_cognitoAuthenticationType":"-","identity_cognitoIdentityId":"-","identity_cognitoIdentityPoolId":"-","identity_principalOrgId":"-","identity_clientCert.clientCertPem":"-","identity_clientCert.subjectDN":"-","identity_clientCert.issuerDN":"-","identity_clientCert.serialNumber":"-","identity_clientCert.validity.notBefore":"-","identity_clientCert.validity.notAfter":"-","identity_sourceIp":"x.x.x.x","identity_user":"-","identity_userAgent":"python-requests/2.27.1","identity_userArn":"-","integration_error":"-","integration_integrationStatus":"-","integration_latency":"-","integration_requestId":"-","integration_status":"-","integrationErrorMessage":"-","integrationLatency":"-","integrationStatus":"-","path":"/default/","protocol":"HTTP/1.1","requestId":"KBGfKgdFDoEEJ3A=","requestTime":"21/Aug/2023:15:36:00 +0000","requestTimeEpoch":"1692632160","responseLatency":"32","responseLength":"35"routeKey":"GET /","stage":"default","status":"500"}
What am I missing here?
Best regards
I just created a Hello World lambda and attached to an API Gateway and invoked successfully. Here is the trust policy... { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } And this is the "Resource-based policy document" { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "lambda-959337eb-2f34-42df-b74c-e5e20e70e8ba", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789:function:HelloWorldLambda", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:execute-api:us-east-1:123456789:03z58y9l7h///HelloWorldLambda" } } } ] }
If there are any further questions feel free to ask. If this answer above is satisfactory to you please mark it as accepted. Thanks!
Good afternoon,
Thank you for your reply!
The attached to lambda policy now looks the following (I added alternative paths):
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:1234567890:function:jwt-auth-20-1-JWTFunction-2ZRuGs64MgLQ", "Condition": { "ArnLike": { "AWS:SourceArn": [ "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///default", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///default/*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7/default/*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7/*" ] } } } ] }
The trust is:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com", "apigateway.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
The problem still persists.
Regards
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago