0

I have a simple AWS::IAM::Role defined in my CloudFormation template. Its role is to allow APIGateway to call my lambda functions.

However, during my sam deploy I get the following:

CREATE_FAILED                                     AWS::IAM::Role                                    InvokeHelloWorldFunctionRole                      Invalid service prefix for action               
                                                                                                                                                      'sts.AssumeRole' (Service:                      
                                                                                                                                                      AmazonIdentityManagement; Status Code: 400;     
                                                                                                                                                      Error Code: MalformedPolicyDocument; Request    
                                                                                                                                                      ID: 710ffdba-254f-4330-a19e-4b0d14c9a3cf;       
                                                                                                                                                      Proxy: null)

The resource definition in the template is as follows:

  InvokeHelloWorldFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: varun-helloWorldLambdaRole
      Tags:
        - Key: created-by
          Value: VarunGawande
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - apigateway.amazonaws.com
          Action:
            - sts.AssumeRole
      Path: /
      Policies:
        - PolicyName: InvokeHelloWorldLambda
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: !GetAtt HelloWorldFunction.Arn

Used a template from here

Hope someone can point me in the right direction.

Varun Gawande
  • 870
  • 9
  • 21
  • Api Gateway does not assume a role. You need to add a permission to the lambda itself (not the lamba role but the lambda function) to allow the apigateway.amazonaws.com to invoke the function. – luk2302 Feb 11 '22 at 15:45
  • You mean `ApiGateway.amazonaws.com` cannot be allowed the action `lambda:InvokeFunction` then what is happening [here](https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-lambda-stage-variable-500/)? – Varun Gawande Feb 11 '22 at 15:49
  • 1
    "The following is an example resource-based policy that grants invoke permission to API Gateway". It does exactly what I recommend. It grants the api gateway the permission but grants the permission on the lambda directly. Api gateway does not assume a role to invoke a lambda. Apart from that I just realized you have `sts.assumeRole` instead of `sts:assumeRole`, that is the actual cause of the error. – luk2302 Feb 11 '22 at 15:51
  • Haha, that helped. And I did take your feedback into account. I provided the permission the `AWS::Lambda::Permission`way. Unfortunately, when testing I get hit with an error code 500. – Varun Gawande Feb 11 '22 at 16:09
  • If you're using AWS SAM then a lot of this is hidden from you if you use AWS::Serverless::Function. – jarmod Feb 11 '22 at 16:35

0 Answers0