How do I troubleshoot permissions errors from API Gateway HTTP APIs with a Lambda integration or Lambda authorizer?

4 minute read

When I try to invoke my AWS Lambda function with an API Gateway HTTP API, I get an "Internal Server Error" message. In my Amazon CloudWatch Logs, I see either a "doesn't have permissions to call the integration" or "doesn't have permissions to call the authorizer" error.

Short description

If an API Gateway HTTP API tries to invoke a Lambda function without Lambda invoke permission, then API Gateway returns an "Internal Server Error" message. If you activated CloudWatch logging for your HTTP API, then API Gateway also logs one of the following error messages in your access logs:

For HTTP APIs with a Lambda integration: "integrationError": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."
For HTTP APIs with a Lambda authorizer: "authorizerError": "The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again."

To resolve these errors, take one of the following actions:

Use the API Gateway console or AWS Command Line Interface (AWS CLI) to add a resource-based Lambda invoke permission to your HTTP API.

-or-

Configure an AWS Identity and Access Management (IAM) execution role that grants your HTTP API permission to invoke your function. For more information, see API Gateway permissions model for invoking an API.

For more information on troubleshooting errors when using Lambda integrations with HTTP APIs, see Troubleshooting issues with HTTP API Lambda integrations.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Use the API Gateway console to add Lambda invoke permission to an HTTP API with a Lambda integration

Open the API Gateway console.
On the APIs pane, choose the name of your HTTP API.
In the left navigation pane, choose Integrations.
Choose Manage integration.
Find the name of your Lambda integration, and then choose the Edit button next to the name of your Lambda integration.
For Invoke permissions, choose Grant API Gateway permission to invoke your Lambda function.
Or, provide the IAM role ARN that API Gateway can use to invoke the Lambda function.
Choose Save, and then choose Deploy the API to add the Lambda invoke permission to your API.

Use AWS CLI to add Lambda invoke permission to an HTTP API with a Lambda integration

Run the following add-permission AWS CLI command:

aws lambda add-permission \
--function-name "$YOUR_FUNCTION_ARN" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/*/$METHOD/$RESOURCE" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction

Note: Replace the function-name value with your Lambda function's ARN. Replace the source-arn value with the source ARN of your API. Replace the statement-id value with a statement identifier that differentiates the statement from others in the same policy.

Use the API Gateway console to add Lambda invoke permission to an HTTP API with a Lambda authorizer

Open the API Gateway console.
On the APIs pane, choose the name of your HTTP API.
In the left navigation pane, choose Authorization.
Choose Manage authorization.
Find the name of your Lambda authorizer, and then choose the Edit button next to the name of your Lambda authorizer.
For Invoke permissions, choose Automatically grant API Gateway permission to invoke your Lambda function.
Or, provide the IAM role ARN that API Gateway can use to invoke the Lambda function.
Choose Save, and then choose Deploy the API to add the Lambda invoke permission to your API.

Use AWS CLI to add Lambda invoke permission to an HTTP API with a Lambda authorizer

Run the following add-permission AWS CLI command:

aws lambda add-permission \
--function-name "$YOUR_FUNCTION_ARN" \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/authorizers/$AUTHORIZER_ID" \
--principal apigateway.amazonaws.com \
--statement-id $STATEMENT_ID \
--action lambda:InvokeFunction

Topics

Serverless Front-End Web & Mobile Networking & Content Delivery

Relevant content

Return a custom header from lambda authorizer in API-gateway (HTTP api)
Tom
asked 2 years ago
API Gateway HTTP + Lambda integration not enabling CORS
AWS-User-6117969
asked 2 years ago
Http API Gateway with lambda integration for multiple routes
Accepted Answer
AWS-User-8292465
asked 3 years ago
HTTP API Lambda authorizer
rePost-User-2432207
asked 6 months ago
attach lambda authorizer to http API
Jess
asked 2 years ago
How do I troubleshoot HTTP 403 Forbidden errors when using a Lambda authorizer with an API Gateway REST API?
AWS OFFICIALUpdated 2 years ago
How do I resolve HTTP 502 errors from API Gateway REST APIs with Lambda proxy integration?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot API HTTP 504 timeout errors with API Gateway?
AWS OFFICIALUpdated a year ago
How do I troubleshoot HTTP 504 errors from an API Gateway REST API with a Lambda backend?
AWS OFFICIALUpdated a year ago
How to invoke an AWS Blu Age JICS (CICS) transaction via REST API from AWS Lambda?
EXPERT
Souma Suvra Ghosh
published 4 months ago