Geek Answers Handbook

AWS API Gateway User Authorizer AuthorizerConfigurationException

For the Kinesis stream, I created a proxy API using the AWS API Gateway. I added a special authorizer using python Lambda for proxies. After publishing the lambda function and deploying the API, I was able to successfully test the API using the Gateway Test functionality. I could see the logs in cloudwatch that had detailed fingerprints from a custom lambda authentication function. After successful authentication, the API gateway moved the entry to my Kinesis stream

However, when I call the same API from the Chrome Postman client, I get 500 Internal Server Error , and the response headers include X-Cache -> Error from the cloud interface, x-amzn-ErrorType -> AuthorizerConfigurationException

The Lambda auth function returns a policy that allows a request to be made to my API. Return Policy Document:

  {
               "policyDocument": {
                 "Version": "2012-10-17",
                 "Statement": [
                   {
                     "Action": "execute-api: Invoke",
                     "Resource": [
                       "arn: aws: execute-api: us-east-1: 1234567: myapiId / staging / POST / *"
                     ],
                     "Effect": "Allow"
                   }
                 ]
               },
               "principalId": "Foo"
             }

Why does the request fail from Chrome or curls, but does the same API test work fine with the Gateway API?

+7
source share
4 answers

Found out what caused the problem. From python lambda function I was returning json string instance. Instead, it should be a json object. It is strange that the same lambda function was not mistaken when I tested the API from the Test function of the API gateway. But when the API was called from the Internet (curl or chrome), it failed.

#return policy_string ... this is incorrect. return json.loads(policy_string)
+6
source

An AuthorizerConfigurationException is usually a sign that the API gateway could not call your authorizer due to a permission error.

Please make sure that you have correctly configured the function to call the Gateway API. It is easy to reset this by deleting and re-adding the function to your authorizer. Then the console will prompt you to add the necessary permissions.

+6
source

In my case, I did not return a correctly formatted IAM policy document. My Authorizer function made incorrect assumptions about how to get some parameters from the request, and the default result was not the correct policy (this was my specific case). I was able to debug it using the CloudWatch logging service using traditional logging instructions derived from my function code.

0
source

I came across the same error, in my case the nodejs function, I added one context key as an array.

 { policyDocument: { Version: '2012-10-17', Statement: [{ Action: 'execute-api:Invoke', Effect: effect, Resource: '${arn.split('/').slice(0, 2).join('/')}/*', }], }, context: { roles: ['admin'] }

As the doctor says:

You can access the stringKey, numberKey or booleanKey value (for example, "value", "1" or "true") of the context map in the matching template by calling $ context.authorizer.stringKey, $ context.authorizer. numberKey or $ context.authorizer.booleanKey, respectively. All return values ​​are string. Note that you cannot set an object or JSON array as a valid value for any key in the context map.

Remove the role key and it works.

0
source

More articles:


All Articles