[SOLVED] API Gateway - how to set Authorization in Method Request to AWS_IAM?



Hi guys,

I have the same issue described in this stack overflow post:

I wish to authentify requests, using AWS_IAM.

I can use the AWS Gateway API console, and change each method request from none to AWS_IAM. By hand, I can make it work.

However, I would rather change the serverless.yml file in my Serverless services.

I tried to add an authorizationType field like so:

  • http:
    path: greet
    method: get
    authorizationType: AWS_IAM
    but it did not update the authorization settings of API Gateway, and unauthorized requests are still accepted.

Any idea if the serverless.yml file can be set to use AWS_IAM?



I have also tried this

  • http:
    path: greet
    method: get
    authorizer: AWS_IAM

handler: handlers.AWS_IAM

But it doesn’t work,

Any idea?



There isn’t a clean way of doing this yet that I’m aware of. There is a bit of a dirty way though. After you’ve deployed your application lookup the name of the AWS::ApiGateway::Method for your method (the way I do this is by looking within cloudfromation’s stack template for my api). Then using that name, within serverless.yml under Resources drop in something like this…

PostMethodApigEventCreateaccountAccountCreate: #<- that is my AWS::ApiGateway::Method's name
    AuthorizationType: AWS_IAM


Hi Camhart,

your dirty way worked like a charm.

Hope this could become a feature, thanks a lot


What's Missing in Our Docs?

Yup definitely something we want to support in the future. With our latest release (and on master) the name of the Method has changed though, so make sure to update your custom resources so they still work then.


@flomotlik is there a way to set all api endpoints to use AWS_IAM authorization without having to define them one by one?


At the moment there isn’t


@flomotlik I’ve noticed that since 1.0.2 version this does not work:

               ApiGatewayMethodV1UsersUseridTestPost: // My post method.
                  AuthorizationType: AWS_IAM 

I get an error saying that a resource type is need.
So I tried this (format is not being applied by the forum here):
ApiGatewayMethodV1UsersUseridTestPost: //My post method.
Type: AWS::ApiGateway::Method
AuthorizationType: AWS_IAM

But it does not work. It produces the following output and the application does not exit.
I must to press ctrl+c in order to cancel and the next time I try to deploy the api I got a “The specified bucket does not exist” which can be solved by deleted the stack task from Cloudformation console.

Serverless: Creating Stack…
Serverless: Checking Stack create progress…
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-user-service-dev
CloudFormation - CREATE_FAILED - AWS::ApiGateway::Resource - ApiGatewayMethodV1UsersUseridTestPost
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-user-service-dev
CloudFormation - DELETE_COMPLETE - AWS::ApiGateway::Resource - ApiGatewayMethodV1UsersUseridTestPost
CloudFormation - DELETE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - serverless-user-service-dev


If you update to 1.0.3 which we released today this should work.


@flomotlik thanks, but I’ve just tried 1.03 version and unfortunately it does not work.

This configuration:

        Type: AWS::ApiGateway::Method # Is this line correct? It does not work
          AuthorizationType: AWS_IAM 

Produces this error:

  An error occurred while provisioning your stack: ApiGatewayMethodV1UsersUseridTestPost
     - Property HttpMethod cannot be empty.

And this configuration:

          AuthorizationType: AWS_IAM 

Produces this other error:

Template format error: [/Resources/ApiGatewayMethodV1UsersUseridTestPost]
     Every Resources object must contain a Type member.


After some tests I’ve added a comment on the following issue: (I think the bug should be reopened) https://github.com/serverless/serverless/issues/2359


FWIW This worked for me:

       handler: <function-handler>
       name: <function-name>
       description: some description
        - http:
        path: <path>
        method: get
        integration: lambda

             AuthorizationType: AWS_IAM


I am getting the same error as @endymion as well “Property HttpMethod cannot be empty” and I am using a path parameter as well as he mentioned in the github issue.

I have also noticed that the people who have gotten this working seem to be using lambda integration as opposed to lambda-proxy integration, would that be a requirement for getting this to work?


I’m using serverless 1.6.1 by the way.


I used below syntax in serverless.yml and it worked for me. Key thing was to identify correct name “ApiGatewayMethodHelloGet”. I figured that out from cloud formation template from S3, sls deploys code in S3 for every service if you drill down thos S3 bucket you will see cloud formation template created by sls.

Type: "AWS::ApiGateway::Method"
AuthorizationType: AWS_IAM


I’m about to implement AWS_IAM. Before I use the workarounds described here, has there been any progress in this feature? I’m using sls v1.8.0.


As of today, I don’t believe so. Keep an eye on PR #3534, hopefully we can start using it in the next release :smiley:


You helped me 100% find the answer this was make or break for me. If you set it manually in the UI as soon as you do any update it will reset it to 0. You have to find the name in the json in the s3 bucket.