How to add lambda invoke role in custom authorizer of api gateway using serverless framework

Question

I would like to add Lambda invoke role in custom authorizer for an api gateway using serverless framework.

    events:
  - http:
      path: controls
      method: GET
      cors: ${self:custom.lambdaCORS}
      authorizer:
        arn: arn:aws:lambda:us-east-1:XYZ:function:SLS-XYZ
        managedExternally: true
        identitySource: method.request.header.x-api-key
        resultTtlInSeconds: 0
        type: request

Can someone help me in finding the property under authorizer to add "Lambda invoke role". I was able to do it manually from aws console. I am trying to access authorizer defined in other region. It seems API gateway needs a permission to invoke lambda authorizer in another region.

Answer 1

So the solution I was able to come up with was to add a specific permission to the generate API Gateway Cloudformation template.

The AWS docs outline what the Cloudformation template should look like to add a permission for API Gateway to access a lambda:

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-rest-api-lambda-integrations/#To_add_Lambda_invoke_permission_to_a_REST_API_with_a_Lambda_integration_using_a_CloudFormation_template

So if you adapt that and add this block to the bottom of your serverless.yaml you should be able to access the Authorizer referenced by the FunctionName field!

resources:
  Resources:
    InvokeAuthorizerPermission:
      Type: AWS::Lambda::Permission
      Properties:
        Action: "lambda:InvokeFunction"
        FunctionName: ARN_OF_AUTHORIZER
        Principal: "apigateway.amazonaws.com"
        SourceArn: "arn:aws:execute-api:${aws:region}:${aws:accountId}:*/*/*/*"

Hope this helps another lost soul and I smashed my head up against this for a good long while!