Lambda function -> Api Gateway stage variable permission manually

Question

You defined your Lambda function as a stage variable; you must manually give permissions to all the functions you will use. You can do this by running the below AWS CLI command for each function, replacing the stage variable in the function-name parameter with the necessary function name.

aws lambda add-permission --function-name arn:aws:lambda:eu-west-1:12345:function:test${stageVariables.functionAlias} --source-arn arn:aws:execute-api:eu-west-1:12345:dsad667asd/*/GET/test/test --principal apigateway.amazonaws.com --statement-id d5a14508-22bb-4413-87c9-d9715e36435d --action lambda:InvokeFunction

Getting this message and suggestion to run this command , unfortunately it does not work here throwing

zsh: bad substitution

with or without zsh, what I am looking is a way to do this manualy (using aws interface)

thanks!

Answer 1

As of September 2022, I just followed the steps from this post and I can access the env variables through event.stageVariables in the lambda function. No need for any aws-cli manual configuration

Answer 2

When a new function or new function alias is created, a permission must be added to enable the access to the API gateway. The way I do this is during the integration request, I enter the lambda function stage variable like:

${stageVariables.myFunctionName}

I run the command (shown by the console) on the CLI and replace the above variable with this format:

myFunctionName:myAliasName

Notice that if an alias was created, add the alias name after the function name separated by a single ":" colon

Note: You can get the function and alias name from the Lammda>functions > Qualifiers options.

I hope this helps.

Answer 3

What I did to figure this out, is I created the versions I needed, created aliases to each version. In my case I had Production pointing to Version 1, and Development pointing to $LATEST.

On the AWS CLI I changed the ${stageVariables.functionAlias} to the name of the alias, and performed that command for each alias.

I also referenced Using API Gateway Stage Variables. You can also look at the logs in CloudWatch for your endpoint and see which version/alias was called.

Hope this helps.

Answer 4

You need to replace ${stageVariables.functionAlias} to your own lambda function name from the command.

Also, make sure AWS environment variables setup correct in your bash.

It works for me.

Answer 5

Did you leave the "${stageVariables.functionAlias}" in your command? The --function-name parameter of this command needs to a valid fully-qualified or partial lambda function ARN following the pattern of:

(arn:aws:lambda:[region]:[account-id]:function:)[function-name](:[function-alias])

Where region, account-id, function-name and function-alias are substituted as appropriate.

If your function is in the same account and region as the user issuing the command, and you simply want to refer to the $LATEST function version, specifying just the function name would be perfectly valid and save a few keystrokes:

aws lambda add-permission --function-name test --source-arn arn:aws:execute-api:eu-west-1:12345:dsad667asd/*/GET/test/test --principal apigateway.amazonaws.com --statement-id d5a14508-22bb-4413-87c9-d9715e36435d --action lambda:InvokeFunction

See this document on usage of the aws lambda add-permission CLI command: http://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html