I defined my Lambda integration in API Gateway using a stage variable. Why do I get an "Internal server error" and a 500 status code when I invoke the API method?
Last updated: 2021-06-21
I set up my Amazon API Gateway API to invoke an AWS Lambda function using a stage variable. When I invoke the API method, my API returns an "Internal server error" and a 500 status code. How do I resolve the error?
Short description
If your Lambda function's resource-based policy doesn't include permissions for your API to invoke the function, API Gateway returns an Internal server error message.
If you create a stage variable to call a function through your API, you must add the required permissions by doing one of the following:
- Update your Lambda function's resource-based AWS Identity and Access Management (IAM) policy so that it grants invoke permission to API Gateway.
-or- - Create an IAM role that API Gateway can assume to invoke your Lambda function.
Note: If you build an API Gateway API with standard Lambda integration using the API Gateway console, the console adds the required permissions automatically.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.
Review your Amazon CloudWatch Logs to confirm that the error is caused by missing permissions
For REST APIs and WebSocket APIs
Review your API Gateway execution logs. If you see an error message similar to Invalid permissions on Lambda function, missing permissions are causing the error. For more information, see How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?
For HTTP APIs
Review your API Gateway access logs. If you see an error message that includes Invalid permissions, missing permissions are causing the error. For more information, see Configuring logging for an HTTP API.
Note: The integrationErrorMessage context variable ($context.integrationErrorMessage) includes the error message to review.
To update your Lambda function's resource-based IAM policy so that it grants invoke permission to API Gateway
Lambda console instructions
Follow the instructions in Granting function access to AWS services.
The following is an example resource-based policy that grants invoke permission to API Gateway:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "ServiceAllowListing",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:<AWS_Region>:<AWS_Account_Number>:function:<LambdaFunctionName>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:<AWS_Region>:<AWS_Account_Number>:<API_ID>"
}
}
}
]
}AWS CLI instructions
Run the following add-permission AWS CLI command:
Important: Replace the following variables before running the command:
- For arn:aws:lambda:region:account-id:function:function-name, enter your Lambda function's Amazon Resource Name (ARN).
- For statement-id-guid, enter a unique statement ID. For example, api-gateway-invoke.
- For arn:aws:execute-api:region:account-id:api-id/*/GET/lambdasv1, enter the ARN of the API Gateway resource that invokes your function. For the ARN format for HTTP APIs and REST APIs, see Resource format of permissions for executing API in API Gateway. For the ARN format for WebSocket APIs, see Using IAM authorization.
aws lambda add-permission --function-name arn:aws:lambda:region:account-id:function:function-name --statement-id statement-id-guid --action lambda:InvokeFunction --source-arn arn:aws:execute-api:region:account-id:api-id/*/GET/lambdasv1To create an IAM role that API Gateway can assume to invoke your Lambda function
Follow the instructions in API Gateway permissions model for invoking an API.
Note: For more information, see Control access to an API with IAM permissions.
Related information
Did this article help?
Do you need billing or technical support?