Problems with AWS Lambda function invocation policy with permission via SDK

Question

I am having a very strange issue. I am using boto3 to create an API Gateway proxy to a Lambda function. I can create the Method in the API Gateway console, it informs me that the API Gateway will be given permission to invoke the function. This works great.

However, if I create the API Gateway Method using the SDK (lambda.add_permission), I get this exception:

Execution failed due to configuration error: Invalid permissions on Lambda function

I have confirmed that the policy I create is absolutely identical to the one created by the console wizard so I am very confused as to what is happening and why the function cannot be invoked by the API. Here is the permission I am attaching:

{
    "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"1ac63c2c972f3cbdbcf0f4b0038133e2\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"apigateway.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:REGION:ACCOUNT:function:FUNCTION_NAME\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:execute-api:REGION:ACCOUNT:API_ID/*/*/*\"}}}]}"
}

It seems like other people have had similar problems, but these solutions are what I already tried:

https://forums.aws.amazon.com/thread.jspa?threadID=217254&tstart=0

Answer 1

TL;WR: Specify the ARN for the function version when adding permissions to it via the CLI or SDK's.

After a lot of messing with the CLI and API Gateway Console, I was able to figure this out. Since I was updating my Lambda function dynamically, it was creating version numbers every time I updated. When I created the API Gateway request in the Method, I was pointing it to that specific version of the function and then I was updating the latest version's policy instead of that version's policy. In the console wizard, it will not use the version number, and so the policies are correct...

What a pain that was to figure out! It should be better documented!!