0

I have built a custom authorizer for AWS in .net core. When testing it from API Gateway Console I am receiving ResponseCode 500 with this error.

Execution log for request 0566bf99-cfb5-11e8-b203-65db1a667292
Sun Oct 14 13:28:22 UTC 2018 : Starting authorizer: i07xnl for request: 0566bf99-cfb5-11e8-b203-65db1a667292
Sun Oct 14 13:28:22 UTC 2018 : Incoming identity: **ds
Sun Oct 14 13:28:22 UTC 2018 : Endpoint request URI: https://lambda.us-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-west-2:278483347755:function:GetPolicy/invocations
Sun Oct 14 13:28:22 UTC 2018 : Endpoint request headers: {x-amzn-lambda-integration-tag=0566bf99-cfb5-11e8-b203-65db1a667292, Authorization=************************************************************************************************************************************************************************************************************************************************************************************************************************4e3e8c, X-Amz-Date=20181014T132822Z, x-amzn-apigateway-api-id=k8ate5przg, X-Amz-Source-Arn=arn:aws:execute-api:us-west-2:278483347755:k8ate5przg/authorizers/i07xnl, Accept=application/json, User-Agent=AmazonAPIGateway_k8ate5przg, X-Amz-Security-Token=FQoGZXIvYXdzEA0aDBDj/T/Y58E+lkgRcyK3A5EXzDygzB0DzIFN36D/LMM0uCMn70NDKnpualhTEKEe8Zj/a6/nSFVwDSmQty8r2b/ezWcJoQCQztPHDiTFFu7I/4vvoGuH6P3REduQn8knZGVkBAOFTi/EIcnLNBoWjWQXrO8BszGKdoykJ3BrTIq+2dbyfOUdIcmCwGGyC/UzGn5B+fkNcSJT94yfemVcfEiuncnx6snRekDYzRZWXW1+ZzxPoMINpykNTYbKCnG5pNzPF7j2xxH7zyfYtmsVaMaq5zBGqT3eGzUonM4k/7FIRwOB6SxRUIHrO/fboa3QW+z7+iQEtqWg7DDO [TRUNCATED]
Sun Oct 14 13:28:22 UTC 2018 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:us-west-2:278483347755:k8ate5przg/ESTestInvoke-stage/GET/","authorizationToken":"sdds"}
Sun Oct 14 13:28:22 UTC 2018 : Sending request to https://lambda.us-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-west-2:278483347755:function:GetPolicy/invocations
Sun Oct 14 13:28:24 UTC 2018 : Authorizer result body before parsing: {"Version":"10/14/18","Statement":[{"Effect":"Allow","Action":["apigateway: POST"],"Resource":["arn:aws:lambda:us-west-2:278483347755:function:GetPolicy"]}]}
Sun Oct 14 13:28:24 UTC 2018 : Execution failed due to configuration error: Invalid JSON in response: {"Version":"10/14/18","Statement":[{"Effect":"Allow","Action":["apigateway: POST"],"Resource":["arn:aws:lambda:us-west-2:278483347755:function:GetPolicy"]}]}
Sun Oct 14 13:28:24 UTC 2018 : AuthorizerConfigurationException

The Invalid Json is this:

{
    "Version": "10/14/18",
    "Statement": [{
        "Effect": "Allow",
        "Action": ["apigateway: POST"],
        "Resource": ["arn:aws:lambda:us-west-2:278483347755:function:GetPolicy"]
    }]
}

To me this seems Okay. Here, Action value is taken from AWS documentation and Resource is the ARN for my custom authorizer lambda method.

Improve this question

1 Answer 1

Reset to default
2

The response isn't correct for a custom authorisation lambda.

You can see the full details here (https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html), however for your example you need to return:

{
  "principalId": "user",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow",
        "Resource": "arn:aws:execute-api:us-west-2:278483347755:k8ate5przg/ESTestInvoke-stage/GET/"
      }
    ]
  }
}

Specifically you need to nest your policy in a policyDocument key, and the permission you're granting is not to be able to POST to API Gateway, but to be allowed to invoke the function behind the gateway.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I created the Json as mentioned by you, I did not knew the Version is fixed. How I can get details about the version and the Actions for lambda method inside .net SDK?
Version actually refers to the version of the structure of that policy document object (docs.aws.amazon.com/IAM/latest/UserGuide/…). Everything in that document is an IAM Policy, and so is agnostic from any language specific SDK. iam.cloudonaut.io provides a really good resource for seeing all the IAM actions and resources, while docs.aws.amazon.com/IAM/latest/UserGuide/… gives details on how to build a policy document.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.