Serverless does not grant AWS Custom Authorizer with the required permissions to be invoked by API Gateway

aws
api-gateway

#1

Hi,

I am trying to create a custom authorizer for my Lambda functions deployed behind API Gateway in AWS.

I have the authorizer function deployed.

Then I configure the authorizer in serverless.yml as per the instructions in the Serverless docs, but when I test the created authorizer, API Gateway says it has no permission to invoke the authorizer lambda.

When creating an authorizer in the API Gateway UI, the permissions are granted automatically and the authorizer works. I expected the authoirzer created by Serverless to grant the permissions as well.

What am I missing here?

Thanks!

===== UPDATE====
Turns out I was wrong and the Serverless framework does handle granting the permissions on the Authorizer Lambda. I was missing the policy that allows API Gateway to control the lambda function as described here.
Hopefully someone someday will stumble upon this and get some time saved!


#2

Digging a bit deeper: According to this blog, the AWS::ApiGateway::Authorizer CloudFormation resource should have a property AuthorizerCredentials that contains the authorizer role, or if you leave it empty the authorizer Lambda is expected to have a “resource-based permissions”.

Looking in the CloudFormation template generated by Serverless, I don’t see the AuthorizerCredentials property set, so either I missed the way to add it, or I am expected to use a resource-based policy on my authorizer Lambda function.

The plot thickens: If I create the authorizer lambda function using the Serverless framework, is there a way for me to create the resource-based policy?


#3

@moshebs did you find a solution to this? I’m using a shared authorizer model, which means I am using Resources to setup the authorizer. I know I need to set a AuthorizerCredentials value, but I’m unclear where I find the role ARN that needs to be dropped in there.


#4

@moshebs I was able to get this working in my case by adding the following resource to my config:

ApiGatewayAuthorizerRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Principal:
                Service:
                  - 'apigateway.amazonaws.com'
              Action:
                - sts:AssumeRole
        Policies:
          - PolicyName: 'InvokeAuthorizerFunction-${self:custom.stage}'
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: 'Allow'
                  Action:
                    - lambda:InvokeAsync
                    - lambda:InvokeFunction
                  Resource:
                    Fn::GetAtt:
                      - AuthorizeLambdaFunction
                      - Arn

#5

@duro, yes - this is pretty much what I am doing. Sorry for not updating the post.