3

So in AWS I have a lambda that I can execute directly from the console. However when I execute the API gateway I am getting this error.

{
  "message": "Internal server error"
}


Execution log for request 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : Starting execution for request: 799250bf-2589-11e9-8e14-6396967e56cf
Thu Jan 31 18:53:19 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Thu Jan 31 18:53:19 UTC 2019 : Method request path: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request query string: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request headers: {}
Thu Jan 31 18:53:19 UTC 2019 : Method request body before transformations: 
Thu Jan 31 18:53:19 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Thu Jan 31 18:53:19 UTC 2019 : Method completed with status: 500

I updated my IAM roles to have access and that still did not work? It looks like it needs to be done in the cloud-formation itself but not sure where?

Here is my SAM file:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET

Here is my buildspec:

version: 0.2
phases:
  install:
    commands:
      - aws cloudformation package --template-file samTemplate.yaml --kms-key-id eee5fba0-67fe-4def-b0be-7bb5d9ef38ef --s3-bucket codepipeline-us-east-2-588194207253 --output-template-file outputSamTemplate.yaml
artifacts:
  type: zip
  files:
    - samTemplate.yaml
    - outputSamTemplate.yaml

update:

I have updated my samTemplate to look like this. I am still getting an error.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs Pi
Resources:
  ComputePi:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: ./lambdaCode
      Events:
        MyTimeApi:
          Type: Api
          Properties:
            Path: /ComputePi
            Method: GET
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref ComputePi
      Principal: apigateway.amazonaws.com
      SourceArn:
        Fn::Join:
          - ''
          - - 'arn:aws:execute-api:'
          - Ref: AWS::Region
          - ":"
          - Ref: AWS::AccountId
          - ":"
          - Ref: API
          - "/*/*/*"

Error:

Execution log for request 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : Starting execution for request: 0e2aa0c7-25ba-11e9-9f42-2583dd87218f
Fri Feb 01 00:41:04 UTC 2019 : HTTP Method: GET, Resource Path: /ComputePi
Fri Feb 01 00:41:04 UTC 2019 : Method request path: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request query string: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request headers: {}
Fri Feb 01 00:41:04 UTC 2019 : Method request body before transformations: 
Fri Feb 01 00:41:04 UTC 2019 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::061753407487:role/cloudformation-lambda-execution-role
Fri Feb 01 00:41:04 UTC 2019 : Method completed with status: 500

update:

I got it to work after adding the LambdaPermission, deleting my stack, and then changing my reponse in my lambda code.

let response = {
        "statusCode": 200,
        "headers": {},
        "body": pi * 4,
        "isBase64Encoded": false
    };
SPD
  • 363
  • 1
  • 2
  • 15
  • Possible duplicate of [How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?](https://stackoverflow.com/questions/39905255/how-can-i-grant-permission-to-api-gateway-to-invoke-lambda-functions-through-clo) – bwest Jan 31 '19 at 19:08
  • I also got this to work by deleting the stack and recreating it. I had done some major refactoring and everything seemed to be hooked up correctly, but I kept getting the error about the API not being able to execute the lambda function. Deleting the stack and recreating it solved the issue. – littleforest Mar 30 '23 at 17:26

1 Answers1

1

You need to provide the API gateway with access to "lambda:InvokeFunction". You can attach the following policy to your template:

LambdaPermission:
  Type: "AWS::Lambda::Permission"
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !Ref YourLambda
    Principal: apigateway.amazonaws.com    
    SourceArn:
      Fn::Join:
      - ''
      - - 'arn:aws:execute-api:'
        - Ref: AWS::Region
        - ":"
        - Ref: AWS::AccountId
        - ":"
        - Ref: YourAPI
        - "/*/*/*"
Deiv
  • 3,000
  • 2
  • 18
  • 30
  • 1
    I added the LambdaPermission, Still gives me the same error? for the FunctionName I used !Ref ComputePi. Is that the correct usage of !Ref? – SPD Feb 01 '19 at 00:41
  • So your solution was part of the solution. I had to delete my stack and change the response in my lambda code. – SPD Feb 01 '19 at 01:37