Error 500 on lambda authorizer

0

Hi Guys,

I have lambda accessible via API that has an JWT authorizer on top of it. If I execute lambda without it, it works correctly. If I execute with it, the API throws error: {"accountId":"123456789","apiId":"a5osmfbrk7","authorizer_claims_property":"-","authorizer_error":"The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again.","authorizer_principalId":"-","authorizer_property":"-","awsEndpointRequestId":"-","awsEndpointRequestId2":"-","customDomain_basePathMatched":"-","dataProcessed":"483","domainName":"a5osmfbrk7.execute-api.eu-west-1.amazonaws.com","domainPrefix":"a5osmfbrk7","error_message":"Internal Server Error","error_messageString":" "Internal Server Error"","error_responseType":"AUTHORIZER_CONFIGURATION_ERROR","extendedRequestId":"KAs8OhCbDoEEMdA=","httpMethod":"GET","identity_accountId":"-","identity_caller":"-","identity_cognitoAuthenticationProvider":"-","identity_cognitoAuthenticationType":"-","identity_cognitoIdentityId":"-","identity_cognitoIdentityPoolId":"-","identity_principalOrgId":"-","identity_clientCert.clientCertPem":"-","identity_clientCert.subjectDN":"-","identity_clientCert.issuerDN":"-","identity_clientCert.serialNumber":"-","identity_clientCert.validity.notBefore":"-","identity_clientCert.validity.notAfter":"-","identity_sourceIp":"144.178.96.162","identity_user":"-","identity_userAgent":"python-requests/2.27.1","identity_userArn":"-","integration_error":"-","integration_integrationStatus":"-","integration_latency":"-","integration_requestId":"-","integration_status":"-","integrationErrorMessage":"-","integrationLatency":"-","integrationStatus":"-","path":"/default/","protocol":"HTTP/1.1","requestId":"KAs8OhCbDoEEMdA=","requestTime":"21/Aug/2023:12:41:37 +0000","requestTimeEpoch":"1692621697","responseLatency":"30","responseLength":"35"routeKey":"GET /","stage":"default","status":"500"}

Policy attached to lambda itself is: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:123456789:function:jwt-auth-20-1-JWTFunction-dY61e98UbHjP", "Condition": { "ForAnyValue:StringEquals": { "aws:PrincipalServiceName": "apigateway.amazonaws.com" } } }, { "Sid": "c7831891", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:123456789:function:jwt-auth-20-1-JWTFunction-dY61e98UbHjP", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:execute-api:eu-west-1:123456789:a5osmfbrk7/authorizers/vfu1u6" } } } ] }

I have tried to grant the permissions automatically or manually. Same result.

Regards

asked a year ago1044 views
7 Answers
0
Accepted Answer

I found the issue by replicating the setup with a new API serving the same function with the same JWT. It was an incorrectly linked default stage - it was linked as "default" instead of "$default". Recreating it was not giving desired result, so killing the API completely and re-configuring from the scratch did the job. The final policies are: Resource-based policy: { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "b628c89b-e99c-5ec3-b742-0381a6e7bee9", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:1234567890:function:jwt-auth-20-2-JWTFunction-CcYhy6uvwbTN", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:execute-api:eu-west-1:1234567890:raqr7jh0j1/authorizers/fb1vn0" } } } ] }

Role policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

Trust: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

answered a year ago
0

Hello @Blade1024

To troubleshoot errors, enable access logging for your API stage. Include the $context.authorizer.error logging variable in your log format.

If the logs indicate that API Gateway doesn't have permission to invoke your function, update your function's resource policy or provide an IAM role to grant API Gateway permission to invoke your authorizer. refer- https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html Review your API Gateway execution logs. If you see an error message similar to Invalid permissions on Lambda function, missing permissions are causing the error. For more information, see How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?

refer- https://repost.aws/knowledge-center/api-gateway-lambda-stage-variable-500

profile picture
answered a year ago
0

Please take a look here. https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations To resolve the error you may need to use the API Gateway console to add a resource-based Lambda invoke permission to your HTTP API or or Configure an AWS execution role that grants your HTTP API permission to invoke your function. For more information, see API Gateway permissions model for invoking an API. https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-iam-permissions-model-for-calling-api For more information on troubleshooting errors when using Lambda integrations with HTTP APIs, see Troubleshooting issues with HTTP API Lambda integrations. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-troubleshooting-lambda.html

If there are any further questions feel free to ask. If this answer is satisfactory to you please mark it as accepted. Thanks!

AWS
answered a year ago
0

Thank you for replying. I indeed found the same resources and it doesn't contradict to what you have sent. If I may, I want to sum up my understanding of the setup:

  • There are no policies on the API HTTP GW in respect to the lambda functions configured directly in the API GW. All policies are attached to the lambda itself via role.
  • On the lambda level, there are two policy types: one for itself to regulate resources that it can access and another one who is trusted to invoke it.

Now, if I got everything right, I have a role jwt-auth-20-1-JWTFunctionRole-1SJU2Z3U0DVHQ, that has a basic execution policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

and in a trust relationships tab, I defined a trust to execute allowing API GW to fire it up: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

And this role has been attached to the JWT lambda. The log message clearly states that there is a permission issue: {"accountId":"12345678","apiId":"a5osmfbrk7","authorizer_claims_property":"-","authorizer_error":"The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again.","authorizer_principalId":"-","authorizer_property":"-","awsEndpointRequestId":"-","awsEndpointRequestId2":"-","customDomain_basePathMatched":"-","dataProcessed":"483","domainName":"a5osmfbrk7.execute-api.eu-west-1.amazonaws.com","domainPrefix":"a5osmfbrk7","error_message":"Internal Server Error","error_messageString":" "Internal Server Error"","error_responseType":"AUTHORIZER_CONFIGURATION_ERROR","extendedRequestId":"KBGfKgdFDoEEJ3A=","httpMethod":"GET","identity_accountId":"-","identity_caller":"-","identity_cognitoAuthenticationProvider":"-","identity_cognitoAuthenticationType":"-","identity_cognitoIdentityId":"-","identity_cognitoIdentityPoolId":"-","identity_principalOrgId":"-","identity_clientCert.clientCertPem":"-","identity_clientCert.subjectDN":"-","identity_clientCert.issuerDN":"-","identity_clientCert.serialNumber":"-","identity_clientCert.validity.notBefore":"-","identity_clientCert.validity.notAfter":"-","identity_sourceIp":"x.x.x.x","identity_user":"-","identity_userAgent":"python-requests/2.27.1","identity_userArn":"-","integration_error":"-","integration_integrationStatus":"-","integration_latency":"-","integration_requestId":"-","integration_status":"-","integrationErrorMessage":"-","integrationLatency":"-","integrationStatus":"-","path":"/default/","protocol":"HTTP/1.1","requestId":"KBGfKgdFDoEEJ3A=","requestTime":"21/Aug/2023:15:36:00 +0000","requestTimeEpoch":"1692632160","responseLatency":"32","responseLength":"35"routeKey":"GET /","stage":"default","status":"500"}

What am I missing here?

Best regards

answered a year ago
0

I just created a Hello World lambda and attached to an API Gateway and invoked successfully. Here is the trust policy... { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } And this is the "Resource-based policy document" { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "lambda-959337eb-2f34-42df-b74c-e5e20e70e8ba", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789:function:HelloWorldLambda", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:execute-api:us-east-1:123456789:03z58y9l7h///HelloWorldLambda" } } } ] }

AWS
answered a year ago
0

If there are any further questions feel free to ask. If this answer above is satisfactory to you please mark it as accepted. Thanks!

AWS
answered a year ago
0

Good afternoon,

Thank you for your reply!

The attached to lambda policy now looks the following (I added alternative paths):

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-1:1234567890:function:jwt-auth-20-1-JWTFunction-2ZRuGs64MgLQ", "Condition": { "ArnLike": { "AWS:SourceArn": [ "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///default", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///default/*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7/default/*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7///*", "arn:aws:execute-api:us-east-1:1234567890:a5osmfbrk7/*" ] } } } ] }

The trust is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com", "apigateway.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

The problem still persists.

Regards

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions