3

So in AWS I have a lambda that I can execute directly from the console. However when I execute the API gateway I am getting this error.

{
  "message": "Internal server error"
}


Execution log for request 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : Starting execution for request: 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Thu Jan 31 18:53:19 UTC 2019 : Method request path: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request query string: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request headers: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request body before transformations: 
Thu Jan 31 18:53:19 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Thu Jan 31 18:53:19 UTC 2019 : Method completed with status: 500

I updated my IAM roles to have access and that still did not work? It looks like it needs to be done in the cloud-formation itself but not sure where?

Here is my SAM file:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET

Here is my buildspec:

version: 0.2
phases:
  install:
    commands:
      - aws cloudformation package --template-file samTemplate.yaml --kms-key-id eee5fba0-67fe-4def-b0be-7bb5d9ef38ef --s3-bucket codepipeline-us-east-2-588194207253 --output-template-file outputSamTemplate.yaml
artifacts:
  type: zip
  files:
    - samTemplate.yaml
    - outputSamTemplate.yaml

update:

I have updated my samTemplate to look like this. I am still getting an error.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref ComputePi
      Principal: apigateway.amazonaws.com
      SourceArn:
        Fn::Join:
          - ''
          - - 'arn:aws:execute-api:'
          - Ref: AWS::Region
          - ":"
          - Ref: AWS::AccountId
          - ":"
          - Ref: API
          - "/*/*/*"

Error:

Execution log for request 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : Starting execution for request: 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Fri Feb 01 00:41:04 UTC 2019 : Method request path: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request query string: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request headers: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request body before transformations: 
Fri Feb 01 00:41:04 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Fri Feb 01 00:41:04 UTC 2019 : Method completed with status: 500

update:

I got it to work after adding the LambdaPermission, deleting my stack, and then changing my reponse in my lambda code.

let response = {
        "statusCode": 200,
        "headers": {},
        "body": pi * 4,
        "isBase64Encoded": false
    };
Improve this question
2
  • Possible duplicate of How can I grant permission to API Gateway to invoke lambda functions through CloudFormation? Commented Jan 31, 2019 at 19:08
  • I also got this to work by deleting the stack and recreating it. I had done some major refactoring and everything seemed to be hooked up correctly, but I kept getting the error about the API not being able to execute the lambda function. Deleting the stack and recreating it solved the issue. Commented Mar 30, 2023 at 17:26

1 Answer 1

Reset to default
1

You need to provide the API gateway with access to "lambda:InvokeFunction". You can attach the following policy to your template:

LambdaPermission:
  Type: "AWS::Lambda::Permission"
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !Ref YourLambda
    Principal: apigateway.amazonaws.com    
    SourceArn:
      Fn::Join:
      - ''
      - - 'arn:aws:execute-api:'
        - Ref: AWS::Region
        - ":"
        - Ref: AWS::AccountId
        - ":"
        - Ref: YourAPI
        - "/*/*/*"
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I added the LambdaPermission, Still gives me the same error? for the FunctionName I used !Ref ComputePi. Is that the correct usage of !Ref?
So your solution was part of the solution. I had to delete my stack and change the response in my lambda code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.