(apigatewayv2): IAM Permissions not being created for Api Gateway to access http lambda integration
See original GitHub issueWhat is the problem?
API gateway does not create needed IAM roles to connect to an HTTP Lambda integration, this started when upgrading to CDK v2
Reproduction Steps
When using AWS-CDK 2.3.0-alpha.0
"@aws-cdk/aws-apigatewayv2-alpha": "2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-authorizers-alpha": "^2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.3.0-alpha.0"
We have 2 routes that point to the same integration, permissions in cloudformation are only created for the first one
const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);
props.httpApi.addRoutes({
path: '/hr/jobs',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});
props.httpApi.addRoutes({
path: '/hr/job/{reqId}',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});
cloudformation:
"HttpApiGEThrjobsJobsIntegrationPermissionFFAB51F1": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::ImportValue": "OutputFnGetAttJobsFunction382FBD18Arn3EEB55F3"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":execute-api:us-east-1:123:",
{
"Ref": "HttpApiF5A9A8A7"
},
"/*/*/hr/jobs"
]
]
}
},
"Metadata": {
"aws:cdk:path": "/ApiGateway/HttpApi/GET--hr--jobs/JobsIntegration-Permission"
}
API gateway access logs:
{
"requestId": "=",
"ip": "",
"requestTime": "28/Dec/2021:16:25:46 +0000",
"httpMethod": "GET",
"routeKey": "GET /hr/job/{reqId}",
"status": "500",
"protocol": "HTTP/1.1",
"responseLength": "35",
"contenxtError": "Internal Server Error",
"integrationErrorMessage": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."
}
What did you expect to happen?
It to create permissions for both routes
What actually happened?
It only created for the first route - see above cloudformation output
work around is as follows - create a new integration linked to the same function
const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);
**const jobIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobIntegration', jobsFunction);**
props.httpApi.addRoutes({
path: '/hr/jobs',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});
props.httpApi.addRoutes({
path: '/hr/job/{reqId}',
methods: [ apiGateway.HttpMethod.GET ],
integration: **jobIntegration** ,
authorizer: props.Authorizer
});
CDK CLI Version
2.3.0
Framework Version
No response
Node.js Version
14.18.0
OS
Windows 11
Language
Typescript
Language Version
4.5.2
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Resolve API Gateway HTTP API Lambda integration errors
How do I troubleshoot permissions errors from API Gateway HTTP APIs with an AWS Lambda integration or Lambda authorizer?
Read more >AWS API Gateway Invoke Lambda Function Permission
The reason is we have to explicitly specify the ARN of an IAM role for API Gateway to assume when invoking a Lambda...
Read more >Control access for invoking an API - Amazon API Gateway
To control who can or cannot call a deployed API with IAM permissions, create an IAM policy document with required permissions. A template...
Read more >The Missing Guide to AWS API Gateway Access Logs
Access logging fields (Or: What should I log?) General request info; Integration info; Authorizer info; Caller info; Other fields; Summary / TL; ...
Read more >Fix the Most Common API Gateway Request Errors - Dashbird
AWS API Gateway is an HTTP gateway, and as such, it uses the ... But let's not get ahead of us and look...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
WebSocket API also has the same issue https://github.com/aws/aws-cdk/issues/18208. Currently it seems we cannot share the same integration instance with multiple routes.
Another workaround is to create an integration instance per route.
Since we are calling
bind
only once per integration instance, it isn’t possible to reuse a single integration instance for multiple routes.https://github.com/aws/aws-cdk/blob/626e6aa1a27feffe7ce60a46a6fdcf26f317eaef/packages/%40aws-cdk/aws-apigatewayv2/lib/websocket/integration.ts#L112-L113
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.