英文:
API Gateway call to Lambda {proxy+} function - Internal Server Error
问题
我有一个API网关,其中包含以下API端点:
当我尝试测试它时,我收到以下错误:
Request: /connect/list_users
Status: 500
Latency: 29 ms
Response Body
{"message": "Internal server error"}
Response Headers
{"x-amzn-ErrorType":["InternalServerErrorException"]}
Logs
Execution log for request 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : Starting execution for request: 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : HTTP Method: GET, Resource Path: /connect/list_users
Wed May 31 15:52:55 UTC 2023 : Method request path: {proxy=list_users}
Wed May 31 15:52:55 UTC 2023 : Method request query string: {}
Wed May 31 15:52:55 UTC 2023 : Method request headers: {}
Wed May 31 15:52:55 UTC 2023 : Method request body before transformations:
Wed May 31 15:52:55 UTC 2023 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Endpoint request headers: {X-Amz-Date=20230531T155255Z, x-amzn-apigateway-api-id=xxxxxxxxxxxx, Accept=application/json, User-Agent=AmazonAPIGateway_xxxxxxxxxxxx, Host=lambda.eu-west-2.amazonaws.com, X-Amz-Content-Sha256=xxxxxxxxxxxx, X-Amzn-Trace-Id=Root=1-64776d57-xxxxxxxxxxxx, x-amzn-lambda-integration-tag=xxxxxxxxxxxx, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************ca4e12, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:xxxxxxxxxxxx:xxxxxxxxxxxx/test-invoke-stage/GET/connect/{proxy+}, X-Amz-Security-Token=xxxxxxxxxxxx/xxxxxxxxxxxx [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Endpoint request body after transformations: {"resource":"/connect/{proxy+}","path":"/connect/list_users","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":null,"multiValueQueryStringParameters":null,"pathParameters":{"proxy":"list_users"},"stageVariables":null,"requestContext":{"resourceId":"xxxxxxxxxxxx","resourcePath":"/connect/{proxy+}","httpMethod":"GET","extendedRequestId":"xxxxxxxxxxxx=","requestTime":"31/May/2023:15:52:55 +0000","path":"/connect/{proxy+}","accountId":"xxxxxxxxxxxx","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":xxxxxxxxxxxx,"requestId":"xxxxxxxxxxxx","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxxxxx@xxxxxxxxxxxx.com","apiKeyId":"test-invoke-api-key-id","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Execution failed due to configuration error: Invalid permissions on Lambda function
Wed May 31 15:52:55 UTC 2023 : Method completed with status: 500
现在,这是附加到调用DynamoDB表的Lambda函数的IAM角色的策略:
{
"Statement": [
{
"Action": [
"connect:ListRoutingProfiles",
"connect:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx"
],
"Sid": ""
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api"
},
{
"Action": "dynamodb:Query",
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens/index/timestamp",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens"
],
"Sid": ""
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:GetItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status"
],
"Sid": ""
},
{
"Action": "dynamodb:UpdateItem",
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
"Sid": ""
},
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
而这是用于API网关调用Lambda函数的IAM角色的策略:
{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Action": [
"dynamodb:PutItem",
"d
<details>
<summary>英文:</summary>
I have an API Gateway with the following API endpoint:
[![enter image description here][1]][1]
When I try to test it I get the following error:
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-js -->
Request: /connect/list_users
Status: 500
Latency: 29 ms
Response Body
{"message": "Internal server error"}
Response Headers
{"x-amzn-ErrorType":["InternalServerErrorException"]}
Logs
Execution log for request 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : Starting execution for request: 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : HTTP Method: GET, Resource Path: /connect/list_users
Wed May 31 15:52:55 UTC 2023 : Method request path: {proxy=list_users}
Wed May 31 15:52:55 UTC 2023 : Method request query string: {}
Wed May 31 15:52:55 UTC 2023 : Method request headers: {}
Wed May 31 15:52:55 UTC 2023 : Method request body before transformations:
Wed May 31 15:52:55 UTC 2023 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Endpoint request headers: {X-Amz-Date=20230531T155255Z, x-amzn-apigateway-api-id=xxxxxxxxxxxx, Accept=application/json, User-Agent=AmazonAPIGateway_xxxxxxxxxxxx, Host=lambda.eu-west-2.amazonaws.com, X-Amz-Content-Sha256=xxxxxxxxxxxx, X-Amzn-Trace-Id=Root=1-64776d57-xxxxxxxxxxxx, x-amzn-lambda-integration-tag=xxxxxxxxxxxx, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************ca4e12, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:xxxxxxxxxxxx:xxxxxxxxxxxx/test-invoke-stage/GET/connect/{proxy+}, X-Amz-Security-Token=xxxxxxxxxxxx/xxxxxxxxxxxx [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Endpoint request body after transformations: {"resource":"/connect/{proxy+}","path":"/connect/list_users","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":null,"multiValueQueryStringParameters":null,"pathParameters":{"proxy":"list_users"},"stageVariables":null,"requestContext":{"resourceId":"xxxxxxxxxxxx","resourcePath":"/connect/{proxy+}","httpMethod":"GET","extendedRequestId":"xxxxxxxxxxxx=","requestTime":"31/May/2023:15:52:55 +0000","path":"/connect/{proxy+}","accountId":"xxxxxxxxxxxx","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":xxxxxxxxxxxx,"requestId":"xxxxxxxxxxxx","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxxxxx@xxxxxxxxxxxx.com","apiKeyId":"test-invoke-api-key-id","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Execution failed due to configuration error: Invalid permissions on Lambda function
Wed May 31 15:52:55 UTC 2023 : Method completed with status: 500
<!-- end snippet -->
Now, this is the policy attached to the IAM role for the Lambda function that calls the DynamoDB table:
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-js -->
{
"Statement": [
{
"Action": [
"connect:ListRoutingProfiles",
"connect:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/*",
"arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx"
],
"Sid": ""
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api"
},
{
"Action": "dynamodb:Query",
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens/index/timestamp",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens"
],
"Sid": ""
},
{
"Action": [
"dynamodb:Scan",
"dynamodb:GetItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status"
],
"Sid": ""
},
{
"Action": "dynamodb:UpdateItem",
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
"Sid": ""
},
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
<!-- end snippet -->
And this is the policy attached to the IAM role for the API Gateway to call the Lambda function:
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-js -->
{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/customers",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/accounts",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/cards",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/sinistres",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/email",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/appointment_slots",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agencies",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/intent_history",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/authorization_requests",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
"arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/missed_calls"
]
},
{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:treat_authorization_request"
]
}
],
"Version": "2012-10-17"
}
<!-- end snippet -->
For the sake of clarity, this is how I test this API:
[![API Gateway test][2]][2]
Finally, if I test the Lambda function in the test environment of the Lambda console, it works fine, so I suppose this means that the problem is not between the function and the DynamoDB table, but if I test the API call from the API Gateway I get the error of above.
Do you have any idea what could be the issue?
[1]: https://i.stack.imgur.com/gWhrZ.png
[2]: https://i.stack.imgur.com/GnXEF.png
</details>
# 答案1
**得分**: 1
Your API Gateway execution role only has permission to invoke a Lambda function named `treat_authorization_request`, but that API seems to be invoking a function named `connect_api`.
What happens if you update the policy like this?
{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:*"
]
}
<details>
<summary>英文:</summary>
Your API Gateway execution role only has permission to invoke a Lambda function named `treat_authorization_request`, but that API seems to be invoking a function named `connect_api`.
What happens if you update the policy like this?
{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:*"
]
}
</details>
# 答案2
**得分**: 0
我解决了这个问题。
如果我进入API Gateway控制台 -> 我的API端点 -> /connect方法 -> ANY -> 集成请求:
[![API Gateway控制台][1]][1]
然后我简单地点击Lambda函数(铅笔符号),就像我要修改所选的函数一样,并尝试保存所选的函数,保持不变(connect_api),然后在保存之前会弹出一个新窗口:
[![给Lambda函数授权][2]][2]
然后你点击"ok",API就正常工作了。
所以基本上看起来是与API Gateway使用的IAM角色相关联的策略有问题。
现在的问题是,我应该如何更改策略,以避免从API Gateway控制台向API Gateway添加权限?
这份AWS文档帮助了我:[AWS内部服务器错误故障排除][3]
[1]: https://i.stack.imgur.com/42Bjl.png
[2]: https://i.stack.imgur.com/DWe3L.png
[3]: https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations
<details>
<summary>英文:</summary>
I solved the problem.
If I go to the API Gateway console -> my API Endpoint -> /connect method -> ANY -> Integration Requests:
[![API Gateway Console][1]][1]
then I simply click in Lambda Function (the pencil symbol) like I want to modify the selected function and I try to save the selected function keeping the same one (connect_api), a new window will pop up before saving it:
[![Permission to Lambda Function][2]][2]
then you click "ok" and the API works fine.
So basically seems a problem in the policy associated to the IAM role used by the API Gateway.
Now the question is, how should I change the policy in order to avoid to add the permission to the API Gateway from the API Gateway Console?
This AWS documentation helped me: [AWS Internal Server Error troubleshoot][3]
[1]: https://i.stack.imgur.com/42Bjl.png
[2]: https://i.stack.imgur.com/DWe3L.png
[3]: https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论