I have an API Gateway with the following API endpoint:
When I try to test it I get the following error:
Request: /connect/list_users
Status: 500
Latency: 29 ms
Response Body
{"message": "Internal server error"}
Response Headers
{"x-amzn-ErrorType":["InternalServerErrorException"]}
Logs
Execution log for request 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : Starting execution for request: 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : HTTP Method: GET, Resource Path: /connect/list_users
Wed May 31 15:52:55 UTC 2023 : Method request path: {proxy=list_users}
Wed May 31 15:52:55 UTC 2023 : Method request query string: {}
Wed May 31 15:52:55 UTC 2023 : Method request headers: {}
Wed May 31 15:52:55 UTC 2023 : Method request body before transformations:
Wed May 31 15:52:55 UTC 2023 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Endpoint request headers: {X-Amz-Date=20230531T155255Z, x-amzn-apigateway-api-id=xxxxxxxxxxxx, Accept=application/json, User-Agent=AmazonAPIGateway_xxxxxxxxxxxx, Host=lambda.eu-west-2.amazonaws.com, X-Amz-Content-Sha256=xxxxxxxxxxxx, X-Amzn-Trace-Id=Root=1-64776d57-xxxxxxxxxxxx, x-amzn-lambda-integration-tag=xxxxxxxxxxxx, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************ca4e12, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:xxxxxxxxxxxx:xxxxxxxxxxxx/test-invoke-stage/GET/connect/{proxy+}, X-Amz-Security-Token=xxxxxxxxxxxx/xxxxxxxxxxxx [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Endpoint request body after transformations: {"resource":"/connect/{proxy+}","path":"/connect/list_users","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":null,"multiValueQueryStringParameters":null,"pathParameters":{"proxy":"list_users"},"stageVariables":null,"requestContext":{"resourceId":"xxxxxxxxxxxx","resourcePath":"/connect/{proxy+}","httpMethod":"GET","extendedRequestId":"xxxxxxxxxxxx=","requestTime":"31/May/2023:15:52:55 +0000","path":"/connect/{proxy+}","accountId":"xxxxxxxxxxxx","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":xxxxxxxxxxxx,"requestId":"xxxxxxxxxxxx","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::xxxxxxxxxxxx:user/[email protected]","apiKeyId":"test-invoke-api-key-id","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Execution failed due to configuration error: Invalid permissions on Lambda function
Wed May 31 15:52:55 UTC 2023 : Method completed with status: 500
Now, this is the policy attached to the IAM role for the Lambda function that calls the DynamoDB table:
{
"Statement": [
{
"Action": [
"connect:ListRoutingProfiles",
"connect:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx"
],
"Sid": ""
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api"
},
{
"Action": "dynamodb:Query",
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens/index/timestamp",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens"
],
"Sid": ""
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:GetItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status"
],
"Sid": ""
},
{
"Action": "dynamodb:UpdateItem",
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
"Sid": ""
},
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
And this is the policy attached to the IAM role for the API Gateway to call the Lambda function:
{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/customers",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/accounts",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/cards",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/sinistres",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/email",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/appointment_slots",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agencies",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/intent_history",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/authorization_requests",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/missed_calls"
]
},
{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:treat_authorization_request"
]
}
],
"Version": "2012-10-17"
}
Finally, if I test the Lambda function in the test environment of the Lambda console, it works fine, so I suppose this means that the problem is not between the function and the DynamoDB table, but if I test the API call from the API Gateway I get the error of above.
Do you have any idea what could be the issue?
2
Answers
Your API Gateway execution role only has permission to invoke a Lambda function named
treat_authorization_request
, but that API seems to be invoking a function namedconnect_api
.What happens if you update the policy like this?
Internal server error occurs when something is wrong with your response from Lambda. Be sure you respond with an appropriate status code and message which include the correct response hearers if required.
Something like this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html