16

To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.

  1. Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.

  2. Now I have created custom authorizer, which is in turn a call to another lambda. So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.

I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,

  1. Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.

  2. Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.

I have followed the below AWS documentation nothing seems to help.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.

enter image description here

API Gateway Logs - Lambda configured was called directly without invoking Authorizer.

enter image description here

Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
Amit
  • 465
  • 2
  • 6
  • 20
  • What does your code look like? – Robert Harvey Sep 28 '18 at 06:28
  • @RobertHarvey - I have updated the post with API Gateway config, its basically a simple token validation code in Authorizer Lambda. But I am unable to find the logs that invokes Authorizer, before figuring out the code. Thanks in advance. – Amit Sep 28 '18 at 08:13
  • Did you have a look at the "poc-simple-authorizer" lambda function logs to confirm that its not being invoked? – Rajesh Sep 28 '18 at 08:52
  • @Rajesh - As I have stated in #2, the execution log for "poc-simple-authorizer" is not logged. When I call the API Gateway endpoint, neither in Gateway logs or individual authorizer lambda function logs. – Amit Sep 28 '18 at 09:13
  • Hope this helps : https://stackoverflow.com/questions/39921456/aws-api-gateway-cutom-authorizer-not-running – Rajesh Sep 28 '18 at 14:25
  • 2
    If the authorizer logs are not visible then the preliminary question I have is - have you deployed the API after you made changes with the authorizer? – Anup Chaudhari Oct 05 '18 at 11:18

4 Answers4

11

As mentioned by @Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.

In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.

After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.

monkut
  • 42,176
  • 24
  • 124
  • 155
  • this saved me again today. – monkut Aug 14 '19 at 00:41
  • 2
    in case someone else struggles like i did to find out how to redeploy, click on API , then Resources (first link in the API, just above stages link) and then from actions dropdown on the top , choose on Deploy API option – dillip May 18 '21 at 17:06
2

Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:

  • Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.

  • Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.

  • Make sure the Method Request Authorization of your resource is set to the correct authorizer

  • Deploy the gateway to guarantee the current API stage is using the displayed settings.

Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.

rubensoleao
  • 95
  • 7
  • 4
    Beyond the points in this answer, check if your authorizer is not configured with an Identity Source. If you've configured one and don't pass this information in the request, APIGW will return a 401 error without invoke the lambda authorizer. – Rafael Trestini Feb 09 '21 at 03:01
1

I ran into the same issue when setting up a token authorizer with "Cookie" as IdentitySource.

AWS Api Gateway does a syntax check for "Cookie" header and if the syntax is invalid, the request gets denied without any real logs or calling the authorizer. I assume the same could be the case for other headers.

Solution: Use a proper cookie syntax, e.g.

<cookieName>=<cookieValue>;SameSite=Strict;HttpOnly;Max-Age=3000;Path=/;Secure

Rohit Gupta
  • 4,022
  • 20
  • 31
  • 41
Pasqual
  • 11
  • 1
0

Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.

When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.

https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html

Steve Guo
  • 1