Reputation: 102
Can't get ApiGateway Lambda:InvokeFunction permissions working in CloudFormation
I'm trying to set up a CloudFormation template that will create a lambda function and an APIGateway that can access it. However, despite setting up the Lambda:InvokeFunction permission as shown below (and trying every permutation under the sun as recommended on other SO questions), I get the message Execution failed due to configuration error: Invalid permissions on Lambda function.
The only way I can get it to work is if I go into the AWS console and manually un-set and re-set the APIGateway's destination to the lambda.
I've also tried the CLI to no effect:
aws lambda add-permission --function-name $updatedFunction.FunctionName --statement-id "AllowExecutionFromAPIGateway" --action "lambda:InvokeFunction" --principal "apigateway.amazonaws.com" --source-arn $api.StackId
Does anyone have any insight into why these permissions wouldn't work?
...
"Get":{
"Type":"AWS::Lambda::Function",
"Properties":{
"Code":{
"S3Bucket":"webapistack-bucket-org0oolyde9v",
"S3Key":"webapi/webapistack-636349410359047808.zip"
},
"Tags":[
{
"Value":"SAM",
"Key":"lambda:createdBy"
}
],
"MemorySize":256,
"Environment":{
"Variables":{
"AppS3Bucket":{
"Fn::If":[
"CreateS3Bucket",
{
"Ref":"Bucket"
},
{
"Ref":"BucketName"
}
]
}
}
},
"Handler":"webapi::webapi.LambdaEntryPoint::FunctionHandlerAsync",
"Role":{
"Fn::GetAtt":[
"GetRole",
"Arn"
]
},
"Timeout":30,
"Runtime":"dotnetcore1.0"
}
},
"GetPutResourcePermissionTest":{
"Type":"AWS::Lambda::Permission",
"Properties":{
"Action":"lambda:invokeFunction",
"Principal":"apigateway.amazonaws.com",
"FunctionName":{
"Ref":"Get"
},
"SourceArn":{
"Fn::Sub":[
"arn:aws:execute-api:WS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/ANY/*",
{
"__Stage__":"*",
"__ApiId__":{
"Ref":"ServerlessRestApi"
}
}
]
}
}
},
...
"ServerlessRestApi":{
"Type":"AWS::ApiGateway::RestApi",
"Properties":{
"Body":{
"info":{
"version":"1.0",
"title":{
"Ref":"AWS::StackName"
}
},
"paths":{
"/{proxy+}":{
"x-amazon-apigateway-any-method":{
"x-amazon-apigateway-integration":{
"httpMethod":"POST",
"type":"aws_proxy",
"uri":{
"Fn::Sub":"arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses":{
}
}
}
},
"swagger":"2.0"
}
}
}
Upvotes: 0
Views: 735
Answers (1)
Reputation: 14049
Your AWS::Lambda::Permission seems to be incorrect.
The FunctionName you are referencing is the logical ID, the spec, however, requires the physical ID or ARN.
The SourceArn pattern of the Sub is missing some characters on the Region replacement.
Since I'm not sure whether the "ANY"-operation is valid for the ARN, I would replace it with "*", just to be sure.
Here a changed version of the permission:
"GetPutResourcePermissionTest":{
"Type":"AWS::Lambda::Permission",
"Properties":{
"Action":"lambda:invokeFunction",
"Principal":"apigateway.amazonaws.com",
"FunctionName":{
"Fn::GetAtt": [ "Get" , "Arn" ]
},
"SourceArn":{
"Fn::Sub":[
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
{
"__Stage__":"*",
"__ApiId__":{
"Ref":"ServerlessRestApi"
}
}
]
}
}
},
Upvotes: 1
Related Questions
- Cloudformation: Invalid permissions on Lambda function found with API GW Integration
- Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::XXXXXXXXXXXX:role/auth
- APIGateway returns `Internal server error` despite adding resource based permissions for Lambda
- Lambda permission not being created when using cloudformation
- How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?
- CloudFormation API Gateway Lambda integration request not getting right permissions?
- Cannot invoke simple Lambda from API Gateway because of permission issue
- Permissions for Lambda invocation conflicts with API Gateway permissions
- Add permission for triggering lambda in api gateway via cloudformation
- Lambda permissions error when setup using CloudFormation and API Gateway proxy