AWS API Gateway Custom Authorizer not invoked

Question

To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.

1. Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.

2. Now I have created custom authorizer, which is in turn a call to another lambda. So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.

I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,

1. Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.

2. Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.

I have followed the below AWS documentation nothing seems to help.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.

API Gateway Logs - Lambda configured was called directly without invoking Authorizer.

Answer 1

API gateway pre filters if request is coming with a token or not.If there's a Authorisation token present, then only it sends to lambda.

Make sure Authorization token is present in your request.

Answer 2

I ran into the same issue when setting up a token authorizer with "Cookie" as IdentitySource.

AWS Api Gateway does a syntax check for "Cookie" header and if the syntax is invalid, the request gets denied without any real logs or calling the authorizer. I assume the same could be the case for other headers.

Solution: Use a proper cookie syntax, e.g.

<cookieName>=<cookieValue>;SameSite=Strict;HttpOnly;Max-Age=3000;Path=/;Secure

Answer 3

Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.

When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.

https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html

Answer 4

Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:

• Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.

• Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.

• Make sure the Method Request Authorization of your resource is set to the correct authorizer

• Deploy the gateway to guarantee the current API stage is using the displayed settings.

Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.

Answer 5

As mentioned by @Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.

In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.

After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.