• Register
1 vote
357 views

Problem :

I am very new to the AWS and the beast. While working on API Gateway to Lambda proxy integration I am facing below error :

Execution failed due to configuration error: Invalid permissions on Lambda function

I have followed the below given setup which I have referred from really well documentation and it does ideally what was needed for me. But while trying to test it on API Gateway console giving me the above mentioned error.

resource "aws_lambda_permission" "apigw" {
    statement_id  = "AllowAPIGatewayInvoke"
    action        = "lambda:InvokeFunction"
    function_name = "${aws_lambda_function.resource_name.arn}"
    principal     = "apigateway.amazonaws.com"
    # The /*/* portion grants access from any method on any resource
    # within the API Gateway "REST API".
    source_arn = "${aws_api_gateway_deployment.resource_name_of_deployment.execution_arn}/*/*"
  }

 

6 5 3
7,540 points

2 Answers

0 votes

Solution :

Few take away from API Gateway Lambda proxy integration as below

The API Gateway is usually deployed in different stages and the ARN for API gateway in stage vs on test console is somewhat different at least that is what I know

As many tutorials and solutions for the problem suggests you to explicitly configure the detailed path as below:

"arn:aws:executeapi:region_name:account_id:${aws_api_gateway_rest_api.api_resource.id}/*/*" 

The configured source with granted access permission for you as below :

 arn:aws:execute-api:region:accountid:fu349z93pa/*/*

For your "${aws_api_gateway_deployment.deployment_rsc_name.execution_arn}"

The configured source with granted access permission is as below :

arn:aws:execute-api:region:accountid:fu349z93pa/stage/*/*

Hope it solves your issues.

9 7 4
38,600 points
0 votes

Solution:

I had a same problem - I deleted then re-installed a lambda function. My API Gateway was still indicating at the old one, so I had to go into the API Gateway and alter my Resource systems to alter the Integration Request setting to point to the new one .

You may have an problem in permission config, that's why API couldn't call your lambda. Attempt to apparently include to template.yaml file invoke permission to your lambda from apigateway as a principal here's a sample below:

ConfigLambdaPermission:
    Type: "AWS::Lambda::Permission"
    DependsOn:
    - MyApiName
    - MyLambdaFunctionName
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref MyLambdaFunctionName
      Principal: apigateway.amazonaws.com

I was having the similar issue however I was deploying through Terraform. Afterwards a suggestion from another user, I reselected my Lambda function in the Integration part of the API Gateway, and then checked what altered in my Lambda permissions. Turns out I required to include a "*" where I was putting the stage name in the source_arn section of the API Gateway trigger in my Lambda resource. Not sure how SAM compares to Terraform however probably you can alter the stage name or only attempt this troubleshooting technique that I attempted.

Similar error, and the solution was easy: clearing and employing the "Lambda Function" mapping again in the integration setting of the API Gateway.

My mapping seems like this: MyFunction-894AR653OJX:test where "test" is the alias to point to the right version of my lambda

The issue was occured by removing the ALIAS "test" on the lambda, and recreating it on another version . It appears that the API gateway internally still connects to the `old' ALIAS instance. You would hope that the match is simply done on name.

Here is what my Lambda function policy JSON seemed like and the terraform:

  "Principal": {
            "Service": "apigateway.amazonaws.com"
          },
          "Action": "lambda:InvokeFunction",
          "Resource": "arn:aws:lambda:us-east-1:999999999999:function:MY-APP",
          "Condition": {
            "ArnLike": {
              "AWS:SourceArn": "arn:aws:execute-api:us-east-1:999999999999:d85kyq3jx3/*/POST/MY-APP"
            }
          }
        }
      ]
    }

    add in a terraform like this:


    //************************************************
    // allows you to read in the ARN and parse out needed info, like region, and account
    //************************************************
    data "aws_arn" "api_gw_deployment_arn" {
        arn = aws_api_gateway_deployment.MY-APP_deployment.execution_arn 
    }

    //************************************************
    // Add in this to support API GW testing in AWS Console.
    //************************************************
    resource "aws_lambda_permission" "apigw-post" {
        statement_id  = "AllowAPIGatewayInvokePOST"
        action        = "lambda:InvokeFunction"
        //function_name = aws_lambda_function.lambda-MY-APP.arn
        function_name = module.lambda.function_name
        principal     = "apigateway.amazonaws.com"

        // "arn:aws:execute-api:us-east-1:473097069755:708lig5xuc/dev/POST1/cloudability-church-ws"
        source_arn = "arn:aws:execute-api:${data.aws_arn.api_gw_deployment_arn.region}:${data.aws_arn.api_gw_deployment_arn.account}:${aws_api_gateway_deployment.MY-APP_deployment.rest_api_id}/*/POST/${var.api_gateway_root_path}"
    }

Employ the API Gateway console

  1. In the API Gateway console, select your API.

  2. In the Resources pane, choose the HTTP system with the Lambda integration.

  3. In the Method Execution pane, select Integration Request.

  4. In the Integration Request pane, for HTTP system, select POST, and then choose the check mark icon (Update).

  5. Deploy your API.

  6. (Optional) Test the HTTP system with the Lambda integration.

Update your AWS CloudFormation template

In case you made your API employing a CloudFormation template, do the following:

  1. Update the template, assign the IntegrationHttpMethod property value to POST.
  2. Update the AWS CloudFormation stack with the template. This employment updates your API.

Update your OpenAPI definition

In case you made your API employing an OpenAPI definition, do the following:

  1. Update the API definition, assign the httpMethod property value to POST. For more information, view x-amazon-apigateway-integration Object and the example Swagger template on the aws-samples GitHub repository.

  2. Update your API by importing the updated API definition file into API Gateway.

10 6 4
31,120 points

Related questions

0 votes
1 answer 303 views
303 views
Problem : I want to set up the hello world example with AWS lambda and serving it through the api gateway. I clicked a "Create a Lambda Function", which set up a api gatway and selected a Blank Function option. I added a lambda function found on AWS ... response { "message": "Internal server error" }. And my logs say "Execution failed due to configuration error: Malformed Lambda proxy response".
asked Jan 22 jwilliam 3.9k points
0 votes
1 answer 466 views
466 views
Problem : I am new to Lambda and want to setup my Lambda to access my Mongo server on one of the EC2 instances in VPC. I tried selecting all the subnets and security groups, but still I am getting the following error while trying to save "You are not authorized to perform: ... very hard to add IAM role to my account. Please let me know what policy/role I need to add for this problem to be fixed?
asked Nov 21, 2019 peterlaw 6.9k points
2 votes
1 answer 29 views
29 views
Problem : I am learning to host my site on IIS. I am facing below error while trying to host my Asp.net site with the IIS. IIS cannot read configuration file due to insufficient permissions . Please find below the current contents of my web.config file: <?xml version ... research on above error but I am still unable to fix the hosting error. I am looking for the help in fixing the hosting error.
asked May 7 stewart 4k points
0 votes
1 answer 122 views
122 views
Problem : Whenever I try to go to my Logs page the following error shows: “There was an error loading Log Streams. Please try again by refreshing this page.” The problem is that there is another function which is identical except my code which is creating the log files no problem. Any suggestions to resolve my issue?
asked Dec 25, 2019 alecxe 7.5k points
0 votes
1 answer 148 views
148 views
Problem : I am having trouble with my website. It has been slowed down a little in last couple of days. I have carefully looked into my error log & found a lots of following logs: [Sat Nov 30 00:09:53 2019] [error] [client 66.249.66.205] Request ... core.c(3126): [client 66.249.66.205] redirected from r->uri = /images/2019/02/600x376_0.076827001313237200_pixnaz_ir_1.jpg How to solve this issue?
asked Nov 30, 2019 alecxe 7.5k points