API网关调用Lambda {proxy+}函数 – 内部服务器错误

huangapple go评论64阅读模式
英文:

API Gateway call to Lambda {proxy+} function - Internal Server Error

问题

我有一个API网关,其中包含以下API端点:

当我尝试测试它时,我收到以下错误:

Request: /connect/list_users
Status: 500
Latency: 29 ms
Response Body
{"message": "Internal server error"}
Response Headers
{"x-amzn-ErrorType":["InternalServerErrorException"]}
Logs
Execution log for request 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : Starting execution for request: 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : HTTP Method: GET, Resource Path: /connect/list_users
Wed May 31 15:52:55 UTC 2023 : Method request path: {proxy=list_users}
Wed May 31 15:52:55 UTC 2023 : Method request query string: {}
Wed May 31 15:52:55 UTC 2023 : Method request headers: {}
Wed May 31 15:52:55 UTC 2023 : Method request body before transformations: 
Wed May 31 15:52:55 UTC 2023 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Endpoint request headers: {X-Amz-Date=20230531T155255Z, x-amzn-apigateway-api-id=xxxxxxxxxxxx, Accept=application/json, User-Agent=AmazonAPIGateway_xxxxxxxxxxxx, Host=lambda.eu-west-2.amazonaws.com, X-Amz-Content-Sha256=xxxxxxxxxxxx, X-Amzn-Trace-Id=Root=1-64776d57-xxxxxxxxxxxx, x-amzn-lambda-integration-tag=xxxxxxxxxxxx, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************ca4e12, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:xxxxxxxxxxxx:xxxxxxxxxxxx/test-invoke-stage/GET/connect/{proxy+}, X-Amz-Security-Token=xxxxxxxxxxxx/xxxxxxxxxxxx [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Endpoint request body after transformations: {"resource":"/connect/{proxy+}","path":"/connect/list_users","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":null,"multiValueQueryStringParameters":null,"pathParameters":{"proxy":"list_users"},"stageVariables":null,"requestContext":{"resourceId":"xxxxxxxxxxxx","resourcePath":"/connect/{proxy+}","httpMethod":"GET","extendedRequestId":"xxxxxxxxxxxx=","requestTime":"31/May/2023:15:52:55 +0000","path":"/connect/{proxy+}","accountId":"xxxxxxxxxxxx","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":xxxxxxxxxxxx,"requestId":"xxxxxxxxxxxx","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxxxxx@xxxxxxxxxxxx.com","apiKeyId":"test-invoke-api-key-id","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Execution failed due to configuration error: Invalid permissions on Lambda function
Wed May 31 15:52:55 UTC 2023 : Method completed with status: 500

现在,这是附加到调用DynamoDB表的Lambda函数的IAM角色的策略:

{
    "Statement": [
        {
            "Action": [
                "connect:ListRoutingProfiles",
                "connect:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*/*",
                "arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*",
                "arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/*",
                "arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx"
            ],
            "Sid": ""
        },
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api"
        },
        {
            "Action": "dynamodb:Query",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens/index/timestamp",
                "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens"
            ],
            "Sid": ""
        },
        {
            "Action": [
                "dynamodb:Scan",
                "dynamodb:GetItem"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr",
                "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status"
            ],
            "Sid": ""
        },
        {
            "Action": "dynamodb:UpdateItem",
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status",
            "Sid": ""
        },
        {
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:*:*:*",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

而这是用于API网关调用Lambda函数的IAM角色的策略:

{
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Action": [
"dynamodb:PutItem",
"d
<details>
<summary>英文:</summary>
I have an API Gateway with the following API endpoint:
[![enter image description here][1]][1]
When I try to test it I get the following error:
&lt;!-- begin snippet: js hide: false console: true babel: false --&gt;
&lt;!-- language: lang-js --&gt;
Request: /connect/list_users
Status: 500
Latency: 29 ms
Response Body
{&quot;message&quot;: &quot;Internal server error&quot;}
Response Headers
{&quot;x-amzn-ErrorType&quot;:[&quot;InternalServerErrorException&quot;]}
Logs
Execution log for request 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : Starting execution for request: 3ff47544-2f03-4e52-a52c-ce76e397aee7
Wed May 31 15:52:55 UTC 2023 : HTTP Method: GET, Resource Path: /connect/list_users
Wed May 31 15:52:55 UTC 2023 : Method request path: {proxy=list_users}
Wed May 31 15:52:55 UTC 2023 : Method request query string: {}
Wed May 31 15:52:55 UTC 2023 : Method request headers: {}
Wed May 31 15:52:55 UTC 2023 : Method request body before transformations: 
Wed May 31 15:52:55 UTC 2023 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Endpoint request headers: {X-Amz-Date=20230531T155255Z, x-amzn-apigateway-api-id=xxxxxxxxxxxx, Accept=application/json, User-Agent=AmazonAPIGateway_xxxxxxxxxxxx, Host=lambda.eu-west-2.amazonaws.com, X-Amz-Content-Sha256=xxxxxxxxxxxx, X-Amzn-Trace-Id=Root=1-64776d57-xxxxxxxxxxxx, x-amzn-lambda-integration-tag=xxxxxxxxxxxx, Authorization=*********************************************************************************************************************************************************************************************************************************************************************************************************************************************ca4e12, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:xxxxxxxxxxxx:xxxxxxxxxxxx/test-invoke-stage/GET/connect/{proxy+}, X-Amz-Security-Token=xxxxxxxxxxxx/xxxxxxxxxxxx [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Endpoint request body after transformations: {&quot;resource&quot;:&quot;/connect/{proxy+}&quot;,&quot;path&quot;:&quot;/connect/list_users&quot;,&quot;httpMethod&quot;:&quot;GET&quot;,&quot;headers&quot;:null,&quot;multiValueHeaders&quot;:null,&quot;queryStringParameters&quot;:null,&quot;multiValueQueryStringParameters&quot;:null,&quot;pathParameters&quot;:{&quot;proxy&quot;:&quot;list_users&quot;},&quot;stageVariables&quot;:null,&quot;requestContext&quot;:{&quot;resourceId&quot;:&quot;xxxxxxxxxxxx&quot;,&quot;resourcePath&quot;:&quot;/connect/{proxy+}&quot;,&quot;httpMethod&quot;:&quot;GET&quot;,&quot;extendedRequestId&quot;:&quot;xxxxxxxxxxxx=&quot;,&quot;requestTime&quot;:&quot;31/May/2023:15:52:55 +0000&quot;,&quot;path&quot;:&quot;/connect/{proxy+}&quot;,&quot;accountId&quot;:&quot;xxxxxxxxxxxx&quot;,&quot;protocol&quot;:&quot;HTTP/1.1&quot;,&quot;stage&quot;:&quot;test-invoke-stage&quot;,&quot;domainPrefix&quot;:&quot;testPrefix&quot;,&quot;requestTimeEpoch&quot;:xxxxxxxxxxxx,&quot;requestId&quot;:&quot;xxxxxxxxxxxx&quot;,&quot;identity&quot;:{&quot;cognitoIdentityPoolId&quot;:null,&quot;cognitoIdentityId&quot;:null,&quot;apiKey&quot;:&quot;test-invoke-api-key&quot;,&quot;principalOrgId&quot;:null,&quot;cognitoAuthenticationType&quot;:null,&quot;userArn&quot;:&quot;arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxxxxx@xxxxxxxxxxxx.com&quot;,&quot;apiKeyId&quot;:&quot;test-invoke-api-key-id&quot;,&quot;userAgent&quot;:&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li [TRUNCATED]
Wed May 31 15:52:55 UTC 2023 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api/invocations
Wed May 31 15:52:55 UTC 2023 : Execution failed due to configuration error: Invalid permissions on Lambda function
Wed May 31 15:52:55 UTC 2023 : Method completed with status: 500
&lt;!-- end snippet --&gt;
Now, this is the policy attached to the IAM role for the Lambda function that calls the DynamoDB table:
&lt;!-- begin snippet: js hide: false console: true babel: false --&gt;
&lt;!-- language: lang-js --&gt;
{
&quot;Statement&quot;: [
{
&quot;Action&quot;: [
&quot;connect:ListRoutingProfiles&quot;,
&quot;connect:*&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*/*&quot;,
&quot;arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/contact-flow/*&quot;,
&quot;arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx/*&quot;,
&quot;arn:aws:connect:eu-west-2:xxxxxxxxxxxx:instance/xxxxxxxxxxxx&quot;
],
&quot;Sid&quot;: &quot;&quot;
},
{
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Action&quot;: &quot;lambda:InvokeFunction&quot;,
&quot;Resource&quot;: &quot;arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:connect_api&quot;
},
{
&quot;Action&quot;: &quot;dynamodb:Query&quot;,
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens/index/timestamp&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/contactlens&quot;
],
&quot;Sid&quot;: &quot;&quot;
},
{
&quot;Action&quot;: [
&quot;dynamodb:Scan&quot;,
&quot;dynamodb:GetItem&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status&quot;
],
&quot;Sid&quot;: &quot;&quot;
},
{
&quot;Action&quot;: &quot;dynamodb:UpdateItem&quot;,
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: &quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status&quot;,
&quot;Sid&quot;: &quot;&quot;
},
{
&quot;Action&quot;: [
&quot;logs:PutLogEvents&quot;,
&quot;logs:CreateLogStream&quot;,
&quot;logs:CreateLogGroup&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: &quot;arn:aws:logs:*:*:*&quot;,
&quot;Sid&quot;: &quot;&quot;
}
],
&quot;Version&quot;: &quot;2012-10-17&quot;
}
&lt;!-- end snippet --&gt;
And this is the policy attached to the IAM role for the API Gateway to call the Lambda function:
&lt;!-- begin snippet: js hide: false console: true babel: false --&gt;
&lt;!-- language: lang-js --&gt;
{
&quot;Statement&quot;: [
{
&quot;Action&quot;: [
&quot;logs:CreateLogGroup&quot;,
&quot;logs:CreateLogStream&quot;,
&quot;logs:DescribeLogGroups&quot;,
&quot;logs:DescribeLogStreams&quot;,
&quot;logs:PutLogEvents&quot;,
&quot;logs:GetLogEvents&quot;,
&quot;logs:FilterLogEvents&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:logs:*:*:*&quot;
]
},
{
&quot;Action&quot;: [
&quot;dynamodb:PutItem&quot;,
&quot;dynamodb:UpdateItem&quot;,
&quot;dynamodb:DeleteItem&quot;,
&quot;dynamodb:GetItem&quot;,
&quot;dynamodb:Scan&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/customers&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/accounts&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/cards&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/sinistres&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/email&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/appointment_slots&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agencies&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/intent_history&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/authorization_requests&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/ctr&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/agent_status&quot;,
&quot;arn:aws:dynamodb:eu-west-2:xxxxxxxxxxxx:table/missed_calls&quot;
]
},
{
&quot;Action&quot;: [
&quot;lambda:InvokeFunction&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:treat_authorization_request&quot;
]
}
],
&quot;Version&quot;: &quot;2012-10-17&quot;
}
&lt;!-- end snippet --&gt;
For the sake of clarity, this is how I test this API:
[![API Gateway test][2]][2]
Finally, if I test the Lambda function in the test environment of the Lambda console, it works fine, so I suppose this means that the problem is not between the function and the DynamoDB table, but if I test the API call from the API Gateway I get the error of above.
Do you have any idea what could be the issue?
[1]: https://i.stack.imgur.com/gWhrZ.png
[2]: https://i.stack.imgur.com/GnXEF.png
</details>
# 答案1
**得分**: 1
Your API Gateway execution role only has permission to invoke a Lambda function named `treat_authorization_request`, but that API seems to be invoking a function named `connect_api`.
What happens if you update the policy like this?

{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:*"
]
}


<details>
<summary>英文:</summary>
Your API Gateway execution role only has permission to invoke a Lambda function named `treat_authorization_request`, but that API seems to be invoking a function named `connect_api`.
What happens if you update the policy like this?
    {
&quot;Action&quot;: [
&quot;lambda:InvokeFunction&quot;
],
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Resource&quot;: [
&quot;arn:aws:lambda:eu-west-2:xxxxxxxxxxxx:function:*&quot;
]
}

</details>
# 答案2
**得分**: 0
我解决了这个问题。
如果我进入API Gateway控制台 -&gt; 我的API端点 -&gt; /connect方法 -&gt; ANY -&gt; 集成请求:
[![API Gateway控制台][1]][1]
然后我简单地点击Lambda函数(铅笔符号),就像我要修改所选的函数一样,并尝试保存所选的函数,保持不变(connect_api),然后在保存之前会弹出一个新窗口:
[![给Lambda函数授权][2]][2]
然后你点击"ok",API就正常工作了。
所以基本上看起来是与API Gateway使用的IAM角色相关联的策略有问题。
现在的问题是,我应该如何更改策略,以避免从API Gateway控制台向API Gateway添加权限?
这份AWS文档帮助了我:[AWS内部服务器错误故障排除][3]
[1]: https://i.stack.imgur.com/42Bjl.png
[2]: https://i.stack.imgur.com/DWe3L.png
[3]: https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations
<details>
<summary>英文:</summary>
I solved the problem. 
If I go to the API Gateway console -&gt; my API Endpoint -&gt; /connect method -&gt; ANY -&gt; Integration Requests:
[![API Gateway Console][1]][1]
then I simply click in Lambda Function (the pencil symbol) like I want to modify the selected function and I try to save the selected function keeping the same one (connect_api), a new window will pop up before saving it:
[![Permission to Lambda Function][2]][2]
then you click &quot;ok&quot; and the API works fine.
So basically seems a problem in the policy associated to the IAM role used by the API Gateway.
Now the question is, how should I change the policy in order to avoid to add the permission to the API Gateway from the API Gateway Console?
This AWS documentation helped me: [AWS Internal Server Error troubleshoot][3]
[1]: https://i.stack.imgur.com/42Bjl.png
[2]: https://i.stack.imgur.com/DWe3L.png
[3]: https://repost.aws/knowledge-center/api-gateway-http-lambda-integrations
</details>

huangapple
  • 本文由 发表于 2023年6月1日 00:08:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/76375441.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定