Apparently, I reached the limit for the policy of my lambda function which I use with aws-cognito and aws-api-gateway:
The final policy size is bigger than the limit (20480)
So my lambda-function is filled with all the permitted endpoints from the api-gateway, fe:
{
"Sid": "eff74414-a6bd-4520-bf67-691ced3245d5",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/company"
}
}
},
{
"Sid": "6d52e172-84b6-4196-b924-f83b78153bc5",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/companies"
}
}
},
...
I know there is a way to consolidate these, using the aws cli, fe:
aws lambda add-permission --function-name 'FUNCTION' --statement-id '7bd8e791-7d28-41d0-9ebd-7e2596574fd5' --action "lambda:InvokeFunction" --principal "apigateway.amazonaws.com" --source-arn "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/*/*/*" --source-account "ID" --region 'eu-central-1'
Although I can add this permission, it's not valid:
The API with ID API_ID does not include a resource with path ///* having an integration arn:aws:lambda:eu-central-1:ID:function:FUNCTION on the GET method.
So what can I do to consolidate all my api-permissions?
Alright, so I found a solution. I set an Execution role
on each Integration Request
per resource-method in the API-Gateway.
This execution role needs to have a trusted relationship with the api-gateway - then it will finally work:)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.