How do I troubleshoot permissions errors from API Gateway HTTP APIs with an AWS Lambda integration or Lambda authorizer?

Last updated: 2021-05-28

When I try to invoke my AWS Lambda function with an API Gateway HTTP API, I get an "Internal Server Error" message. In my Amazon CloudWatch Logs, I see either a "doesn't have permissions to call the integration" or "doesn't have permissions to call the authorizer" error. What's causing these errors, and how do I resolve them?

Short description

If an API Gateway HTTP API tries to invoke a Lambda function without Lambda invoke permission, then API Gateway returns an Internal Server Error message. If you activated CloudWatch logging for your HTTP API, then API Gateway also logs one of the following error messages in your access logs:

CloudWatch error message for HTTP APIs with a Lambda integration

"integrationError": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."

CloudWatch error message for HTTP APIs with a Lambda authorizer

"authorizerError": "The IAM role configured on the authorizer or API Gateway doesn't have permissions to call the authorizer. Check the permissions and try again."

To resolve these errors, do one of the following:

Add a resource-based Lambda invoke permission to your HTTP API using the API Gateway console or the AWS Command Line Interface (AWS CLI).

-or-

Configure an AWS Identity and Access Management (IAM) execution role that grants your HTTP API permission to invoke your function. For more information, see API Gateway permissions model for invoking an API.

For more information on troubleshooting errors when using Lambda integrations with HTTP APIs, see Troubleshooting issues with HTTP API Lambda integrations.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

To add Lambda invoke permission to an HTTP API with a Lambda integration using the API Gateway console

1.    In the API Gateway console, on the APIs pane, choose the name of your HTTP API.

2.    In the left navigation pane, choose Integrations.

3.    Choose Manage integration.

4.    Find the name of your Lambda integration. Then, choose the Edit button next to the name of your Lambda integration.

5.    For Invoke permissions, choose Grant API Gateway permission to invoke your Lambda function. -or- Provide the IAM role ARN that API Gateway can use to invoke the Lambda function.

6.    Choose Save. Then, choose Deploy the API to add the Lambda invoke permission to your API.

To add Lambda invoke permission to an HTTP API with a Lambda integration using the AWS CLI

Run the following add-permission AWS CLI command:

Important: Replace the function-name value with your Lambda function's ARN. Replace the source-arn value with the source ARN of your API. Replace the statement-id value with a statement identifier that differentiates the statement from others in the same policy.

aws lambda add-permission   \
--function-name "$YOUR_FUNCTION_ARN"   \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/*/$METHOD/$RESOURCE"   \
--principal apigateway.amazonaws.com   \
--statement-id $STATEMENT_ID   \
--action lambda:InvokeFunction

To add Lambda invoke permission to an HTTP API with a Lambda authorizer using the API Gateway console

1.    In the API Gateway console, on the APIs pane, choose the name of your HTTP API.

2.    In the left navigation pane, choose Authorizers.

3.    Choose Manage authorizers.

4.    Find the name of your Lambda authorizer. Then, choose the Edit button next to the name of your Lambda authorizer.

5.    For Invoke permissions, choose Automatically grant API Gateway permission to invoke your Lambda function. -or- Provide the IAM role ARN that API Gateway can use to invoke the Lambda function.

6.    Choose Save. Then, choose Deploy the API to add the Lambda invoke permission to your API.

To add Lambda invoke permission to an HTTP API with a Lambda authorizer using the AWS CLI

Run the following add-permission AWS CLI command:

Important: Replace the function-name value with your Lambda function's ARN. Replace the source-arn value with the source ARN of your API. Replace the statement-id value with a statement identifier that differentiates the statement from others in the same policy.

aws lambda add-permission   \
--function-name "$YOUR_FUNCTION_ARN"   \
--source-arn "arn:aws:execute-api:$API_GW_REGION:$YOUR_ACCOUNT:$API_GW_ID/authorizers/$AUTHORIZER_ID"   \
--principal apigateway.amazonaws.com   \
--statement-id $STATEMENT_ID   \
--action lambda:InvokeFunction

Did this article help?


Do you need billing or technical support?