2

I am trying to invoke a lambda function from an API Gateway. I have followed the next tutorial: https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-lambda.html

However, I get the following error when I test it from the web of API Gateway:

Execution failed due to configuration error: API Gateway does not have permission to assume the provided role

I have search in google and I have not been able to solve it (this, for instance).

If I go to the IAM Management Console, I can see that the trust relationship allows API Gateway to assume the rol, and the JSON of the trust relationship is the following:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "apigateway.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I have tried also with:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com",
          "apigateway.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The policy of the role is the next:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

What is wrong here? Thank you

Javier Lopez Tomas
  • 2,072
  • 3
  • 19
  • 41
  • The error suggests that API Gateway does not have permission to assume the role (you'd see a different error if it could assume the role, but could not invoke the Lambda function). What you've done seems to be sufficient so all I can suggest is that you triple-check things (did you actually add that trust relationship to the correct role, the one configure for the Lambda function, for example, and are you sure that API Gateway is configured to assume the correct role?) – jarmod Apr 11 '19 at 17:30

2 Answers2

2

To fix this go to the role in your IAM and select the “Trust Relationships” tab. From here edit the policy and for the Principal Service add in “apigateway.amazonaws.com” as seen below. This will grant the API Gateway the ability to assume roles to run your function in addition to the existing lambda permission.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "apigateway.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Swapnil Sharma
  • 21
  • 4
0

I guess you have not attached the role to the invoking method i.e the api gateway

Attaching the created role to the api gateway is needed for api to execute the lamda.

Under Execution role, choose Choose an existing role.

Enter the role ARN for the lambda_invoke_function_assume_apigw_role role you created earlier.

Choose Save.

AWS Link

error404
  • 2,684
  • 2
  • 13
  • 21