HTTP API authorizer does not set "Invoke permissions"

[mrichman]

This is largely a duplicate of #2005 but I am opening a new issue for visibility.

Put simply, REST API behaves as expected, but HTTP API does not. This setting, "Invoke permissions" does not seem to be settable via SAM, regardless of whether FunctionInvokeRole is set.

Here is a snippet of my template:

Resources:

  HttpApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      Description: My HTTP API
      StageName: !Ref StageName
      Auth:
        DefaultAuthorizer: LambdaAuthorizer
        Authorizers:
          LambdaAuthorizer:
            FunctionArn: !GetAtt AuthFunction.Arn
            # FunctionInvokeRole: !GetAtt AuthFunctionRole.Arn
          ...

  AuthFunction:
    Type: AWS::Serverless::Function
    ...

  # AuthFunctionRole:
  #   Type: AWS::IAM::Role
  #   Properties:
  #     AssumeRolePolicyDocument:
  #       Version: "2012-10-17"
  #       Statement:
  #         - Effect: "Allow"
  #           Principal:
  #             Service:
  #               - "apigateway.amazonaws.com"
  #           Action:
  #             - sts:AssumeRole
  #     Policies:
  #       - PolicyName: "InvokeAuthFunction"
  #         PolicyDocument:
  #           Version: "2012-10-17"
  #           Statement:
  #             - Effect: "Allow"
  #               Action:
  #                 - lambda:InvokeAsync
  #                 - lambda:InvokeFunction
  #               Resource: !GetAtt AuthFunction.Arn

If I do not set a function role explicitly, I expect one to be created for me, setting the proper policy for API GW to invoke the function, similar to this:

If I uncomment the function role above, the role is created, but the above "Invoke permissions" setting is still not active.

[aaythapa]

Thanks for reporting the issues, we'll look into the problem and work on a fix

[aaythapa]

Looks like SAM HttpApi doesn't automatically create a Lambda Permissions resource that allows the API resource to invoke the authorizer Lambda (SAM RestApi creates this permissions resource automatically when FunctionArn is defined). Adding the following resource to your template will allow the API to invoke the authorizer lambda.

 LambdaPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt <auth-function-logical-id>.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub 
          - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiID}/authorizers/*"
          - ApiID: !Ref <http-api-logical-id>

You shouldn't need to define the AuthFunctionRole resource or set FunctionInvokeRole after adding the permissions resource. This is a workaround for now and we'll add an opt-in property that will automatically create this resource for the user.

[aaythapa]

The PR is merged and the change will be releasing in the coming weeks.

[ryan-alley]

Looks like SAM HttpApi doesn't automatically create a Lambda Permissions resource that allows the API resource to invoke the authorizer Lambda (SAM RestApi creates this permissions resource automatically when FunctionArn is defined). Adding the following resource to your template will allow the API to invoke the authorizer lambda.

 LambdaPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt <auth-function-logical-id>.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub 
          - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiID}/authorizers/*"
          - ApiID: !Ref <http-api-logical-id>

You shouldn't need to define the AuthFunctionRole resource or set FunctionInvokeRole after adding the permissions resource. This is a workaround for now and we'll add an opt-in property that will automatically create this resource for the user.

This was a huge help. Took forever for me to figure out this issue. Especially since, if you run it locally, everything works, and it isn't very intuitive because none of the SAM templates you see in examples have an additional role or permission.

[andiradulescu]

For anyone looking for a quick solution (using the mentioned merged PR), just put this in your Type: AWS::Serverless::HttpApi Resource -> Properties -> Auth:

...
EnableFunctionDefaultPermissions: true

FunctionInvokeRole can be deleted.

My SAM template was written with the help of:

• Lambda authorizer example (AWS::Serverless::HttpApi): https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-controlling-access-to-apis-lambda-authorizer.html#serverless-controlling-access-to-apis-lambda-authorizer-httpapi (it misses EnableFunctionDefaultPermissions and uses FunctionInvokeRole instead, which is not enough)
• Working with AWS Lambda authorizers for HTTP APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html

This is how my HttpApi Resource looks like:

Resources:
  Api:
    Type: AWS::Serverless::HttpApi
    Properties:
      Auth:
        DefaultAuthorizer: Authorizer
        Authorizers:
          Authorizer:
            FunctionArn: !GetAtt AuthorizerFunction.Arn
            Identity:
              Headers:
                - Authorization
              ReauthorizeEvery: 300
            AuthorizerPayloadFormatVersion: 2.0
            EnableFunctionDefaultPermissions: true
            EnableSimpleResponses: true