I defined my Lambda integration in API Gateway using a stage variable. Why do I get an "Internal server error" and a 500 status code when I invoke the API method?

3 minute read
0

I set up my Amazon API Gateway API to invoke an AWS Lambda function using a stage variable. When I invoke the API method, my API returns an "Internal server error" and a 500 status code. How do I resolve the error?

Short description

If your Lambda function's resource-based policy doesn't include permissions for your API to invoke the function, API Gateway returns an Internal server error message.

If you create a stage variable to call a function through your API, you must add the required permissions by doing one of the following:

Note: If you build an API Gateway API with standard Lambda integration using the API Gateway console, the console adds the required permissions automatically.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Review your Amazon CloudWatch Logs to confirm that the error is caused by missing permissions

For REST APIs and WebSocket APIs

Review your API Gateway execution logs. If you see an error message similar to Invalid permissions on Lambda function, missing permissions are causing the error. For more information, see How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?

For HTTP APIs

Review your API Gateway access logs. If you see an error message that includes Invalid permissions, missing permissions are causing the error. For more information, see Configuring logging for an HTTP API.

Note: The integrationErrorMessage context variable ($context.integrationErrorMessage) includes the error message to review.

To update your Lambda function's resource-based IAM policy so that it grants invoke permission to API Gateway

Lambda console instructions

Follow the instructions in Granting function access to AWS services.

The following is an example resource-based policy that grants invoke permission to API Gateway:

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "ServiceAllowListing",
            "Effect": "Allow",
            "Principal": {
              "Service": "apigateway.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:<AWS_Region>:<AWS_Account_Number>:function:<LambdaFunctionName>",
            "Condition": {
              "ArnLike": {
                "AWS:SourceArn": "arn:aws:execute-api:<AWS_Region>:<AWS_Account_Number>:<API_ID>"
              }
            }
        }
     ]
}

AWS CLI instructions

Run the following add-permission AWS CLI command:

Important: Replace the following variables before running the command:

aws lambda add-permission --function-name arn:aws:lambda:region:account-id:function:function-name --statement-id statement-id-guid --action lambda:InvokeFunction --source-arn arn:aws:execute-api:region:account-id:api-id/*/GET/lambdasv1

To create an IAM role that API Gateway can assume to invoke your Lambda function

Follow the instructions in API Gateway permissions model for invoking an API.

Note: For more information, see Control access to an API with IAM permissions.


Related information

Working with stages for HTTP APIs

Setting up stage variables for a REST API deployment

Using Amazon API Gateway stage variables

Using API Gateway stage variables to manage Lambda functions

Build an API Gateway REST API with Lambda integration