Call lambda function from a different cloudformation stack via API - amazon-web-services

I have a lambda function exposed via API gateway but when I try to request it using fetch it is saying that I am forbidden to access it. How do I allow my function to call another function via API gateway?

There can be multiple reasons for it.
Check whether your API gateway endpoint is open or not. While specifying trigger for lambda you must have selected one option for security. You can edit this in API gateway Method Execution tab under Authorization Settings, select Authorization : None and API key required: false
You might not have enabled CORS on your api and due to that your api is not available on cross regions.
Your api gateway is not having access to lambda function. You can do that by attaching IAM role to your API gateway API which can trigger your lambda function.

Related

AWS API Gateway Custom Authorizer not invoked

To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.
Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.
Now I have created custom authorizer, which is in turn a call to another lambda.
So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.
I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,
Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.
Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.
I have followed the below AWS documentation nothing seems to help.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.
API Gateway Logs - Lambda configured was called directly without invoking Authorizer.
As mentioned by #Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.
In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.
After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.
Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:
Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.
Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.
Make sure the Method Request Authorization of your resource is set to the correct authorizer
Deploy the gateway to guarantee the current API stage is using the displayed settings.
Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.
Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.
When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html

Restrict access to AWS API endpoint

I have a lambda function which is accessible via the AWS API, I have got a link from the API which if hit will call the Lambda function, how do I restrict the access to this link such that it's not accessible to public?
AWS API Gateway provides a way to restrict access to the resources.
You just need to enable it in API Gateway Console.
Click on the resource method -> Method Request -> Settings -> Authorization
And select AWS_IAM
Then you can access the API with access key and secret key only.
AWS Documentation for your reference.
Screenshots for your reference

Amazon API Gateway using Lambda gives permission error with POST method

I have been putting together and deploying Lambda functions using Apex and the functions, where I have been using GET method through AWS API Gateway are working fine.
I now need to create an API to call into a Lambda function using POST and pass in a JSON object. To get the basics of POST working I created a simple Lambda function that just does the following
console.log("!!!!!!! Received request");
callback(null, {data: "Success"});
return;
When I call this Lambda function using a GET method from API Gateway and test the API, it works fine - the API Gateway Test mechanism gives the "success" message while "Received Request" is logged in a successful call in CloudWatch.
However when I use the POST request to call the same Lambda function from API Gateway I get the following
"message": "Internal server error"
And I also see "Execution failed due to configuration error: Invalid permissions on Lambda function"
So what I am wondering is whether the role by which Lambda functions are called require any additional privileges when that function is invoked through a POST method. If so what is that privilege that I need to assign to the role being used?
Thanks,
Sanjay.
If you want to call POST method through API gateway level, that post method you have to deploy. Go to AWS API Gateway console. then select your POST API name and on the top of the grid (screen) you will find a drop down called Actions, there one option called deploy. That you have to select then only your POST API will work.
API Gateway needs permissions to invoke your Lambda function. It prompts you to add the permission automatically if you configure your API via the web console, and the Lambda function is not specified with a stage variable.
So if you're using a tool like CloudFormation or Swagger import to create or update your APIs, or the Lambda function is specified with a stage variable, you'll need issue a aws lambda add-permission command manually to set the permission.
See these posts for more details:
Lambda function -> Api Gateway stage variable permission manually
AWS API Gatewat with proxy Lambda: Invalid permissions on Lambda function

Accessing client context in a Lambda function via API Gateway

I've created a Lambda function, and connected it to an API Gateway endpoint. My users are authenticating using Facebook via Cognito (so, obviously using a Federated Identity Pool). In my iOS app, I am able to authenticate properly, receive a Cognito Id back, and also properly execute my Lambda function by way of API Gateway.
Where I'm stuck now is attempting to access the user's identity in my lambda. I understand from other threads & the AWS docs that I should use able to access the identity via context.identity.cognitoIdentityId in JS. However, the context is always null.
Further digging suggested that the context is passed in the X-Amz-Client-Context header -- when I look at packets for the API Gateway call, I do not see that header being passed through. I am using the automatically generated SDK (ObjC) from Gateway for my endpoints.
What am I missing here?
I apologize for the confusion. You have 2 options for getting this value into your lambda function:
By passing via API Gateway. If you are using the Lambda Proxy, it should already be available in event.requestContext.identity.cognitoIdentityId.
By enabling use caller credentials in your integration. If you use this method, you will also need to add lambda:Invoke permissions to your Cognito role.

Multiple AWS API Gateway APIs as trigger to the same Lambda function

I already had an API Gateway API as the trigger for my AWS Lambda function. However when I tried to add another API as a trigger to the same AWS Lambda, it threw an error saying that
There was an error creating the trigger: An integration is already present on this method.
Even when I delete the trigger already present from the configuration window of Lambda, it still shows that the trigger is present.
How can I add multiple API Gateway APIs as triggers for the same lambda function ?
You can setup it via API Gateway console.
Create the Lambda function via Lambda without providing a trigger
Go to API Gateway Console
Create an API.
Create a resource and method
Select the Lambda function you want to trigger by the method
Create an other API/method
Select the Lambda function you want to trigger by the method
Since you are creating the trigger/integration via API Gateway Console, API Gateway will setup the proper permission to allow API Gateway to invoke your Lambda function on multiple APIs/methods.
In the API Gateway, we cannot make entries with the same resource name. When you have created a trigger it's already created and again you are trying to create another one. So we have to clear the previous one and then try again or else we can update it going into the API Gateway interface.