AWS API Gatewat with proxy Lambda: Invalid permissions on Lambda function

7
votes

I am using AWS API Gateway with a proxy Lambda, when the name of the lambda function is coming as a stage variable. Meaning I have a single API integration which connects to appropriate lambda according to the deployed stage. See the general idea here: enter image description here

When I test one of my stages (called: "staging") everything works fine, but when testing the other stage ("production") I get the error "Execution failed due to configuration error: Invalid permissions on Lambda function".

Things I already tested and verified:
1. Both lambdas which should be invoked by the API work well and as expected when tested from the Lambda dashboard.
2. I've made sure (many times) that I've given permission to the API gateway to invoke my lambda function (i.e. executed "aws lambda add-permission..."). I've validated the policy afterwards many times (i.e. executed "aws lambda get-policy...").

Any idea what else I can check ? What I might have forgotten here ? Thanks.

enter image description here

3
amazon-web-servicesaws-lambdaaws-api-gateway

3 Answers

5
votes

Permissions to invoke the Lambda function are not automatically created when the Lambda function is specified in a stage variable. You need to do this manually:

aws lambda add-permission --function-name arn:aws:lambda:eu-west-1:111111111111:function:some-function:default --source-arn arn:aws:execute-api:eu-west-1:111111111111:xxxxxxxxxx/* --principal apigateway.amazonaws.com --statement-id 88b42004-f504-44d5-9adf-d027ee65a890 --action lambda:InvokeFunction

(You need to replace the region, your lambda function name and your account number, as well as the api-gateway ARN in this statement.)

4
votes

I had the same interesting problem. WHen you create API you might have accidentally entered the name of lambda function before creating it. Then after creating of lambda - the name will be displayed properly but it will not be connected or granted permissions.

Try:

  1. deleting the lambda you entered from api gateway
  2. reenter from dropdown desired lambda function using dropdown.

enter image description here

  1. if AWS asks you for granting executoin permission of lambda - BINGO., should be working now.
0
votes

Couldn't find the reason but found a workaround which solved the problem. Instead of using $stageVariables as the Lambda function name, I explicitly wrote the names of the Lambda function I will be using one by one. This way AWS will give permission to the Lambda functions automatically (for each one u explicitly write). After that you can edit the integration back to using stage variables.

enter image description here