2020-07-02

Troubleshooting Pesky API ApiGatewayV2 Authorizer permissions

Lately I’ve been building a Web application for crosscut.io. The frontend is built with Vue/Vuetify, the backend is a mix of TypeScript and R (for GIS Processing). Most of the compute is handled with lambdas, and to provide bi-directional communication I’m using a WebSockets API Gateway. I had a devil of a time getting the permissions to work for the Authorizer. I kept getting errors like this in the API Gateway logs:

1
2
3
4
5
2020-07-02T11:34:31.881-04:00 (PDS1PEC4oAMFpyA=) Execution failed due to configuration error: Invalid permissions on Lambda function

2020-07-02T11:34:31.882-04:00 (PDS1PEC4oAMFpyA=) Execution failed due to configuration error: Authorizer error

2020-07-02T11:34:31.882-04:00 (PDS1PEC4oAMFpyA=) Gateway response type: AUTHORIZER_CONFIGURATION_ERROR with status code: 500

After creating an Authorizer through the console instead of through CloudFormation, I realized that the authorizer source arn is different than the other methods (it doesn’t run from a stage). I changed my SourceArn in the template to this, and then the Authorizer Lambda started working:

1
2
3
4
5
6
7
AuthPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref CCAuthorizerLambda
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${CCApi}/*"

For reference, the API Gateway and Authorizer are declared like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
CCApi:
    Type: "AWS::ApiGatewayV2::Api"
    Properties:
      Name: cc-api
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: $request.body.action
      ApiKeySelectionExpression: $request.header.x-api-key
CCApiAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties:
      ApiId: !Ref CCApi
      # AuthorizerCredentialsArn: !GetAtt CCApiAuthorizerRole.Arn
      AuthorizerType: REQUEST
      AuthorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${CCAuthorizerLambda.Arn}/invocations"
      IdentitySource: 
        - "route.request.header.Authorization"
      Name: ConnectAuthorizer