AWS API Gateway Custom Authorizer AuthorizerConfigurationException

20,889

Solution 1

Figured out what was causing the issue. From python lambda function, I was returning a json string instance. Instead it should be json object. Its strange that the same lambda function did not error when I tested the API from API Gateway "test" feature. But when the API was called from internet (curl or chrome) it failed.

#return policy_string ... this is incorrect.
return json.loads(policy_string)

Solution 2

AuthorizerConfigurationException is usually an indication that API Gateway failed to call your authorizer due a permissions error.

Please either make sure you've properly configured your function to be invoked by API Gateway. An easy to reset this is by removing and re-adding the function to your authorizer. The console will then prompt you to add the necessary permissions.

Solution 3

I was facing the same error, in my case a nodejs function, I was adding one context key as array.

{
  policyDocument: {
  Version: '2012-10-17',
  Statement: [{
    Action: 'execute-api:Invoke',
    Effect: effect,
    Resource: `${arn.split('/').slice(0, 2).join('/')}/*`,
  }],
},
context: {
  roles: ['admin']
}

As doc says:

You can access the stringKey, numberKey, or booleanKey value (for example, "value", "1", or "true") of the context map in a mapping template by calling $context.authorizer.stringKey, $context.authorizer.numberKey, or $context.authorizer.booleanKey, respectively. The returned values are all stringified. Notice that you cannot set a JSON object or array as a valid value of any key in the context map.

Remove the role key and it's working.

Share:
20,889
suman j
Author by

suman j

Updated on July 09, 2022

Comments

  • suman j
    suman j over 1 year

    For a Kinesis stream, I created a proxy API using AWS API Gateway. I added a custom authorizer using python Lambda for the proxy. After publish of lambda function and deploy of API, I was able to successfully test the API using Gateway Test functionality. I could see the logs in cloudwatch which had detailed prints from custom auth lambda function. After successful authentication, API Gateway pushed the record to my Kinesis stream

    However when I call the same API from Chrome Postman client, I get 500 Internal Server Error and response headers includes X-Cache → Error from cloudfront, x-amzn-ErrorType → AuthorizerConfigurationException

    Lambda auth function returns the policy which allows execute request for my API. Policy Document returned is:

                {
                  "policyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Action": "execute-api:Invoke",
                        "Resource": [
                          "arn:aws:execute-api:us-east-1:1234567:myapiId/staging/POST/*"
                        ],
                        "Effect": "Allow"
                      }
                    ]
                  },
                  "principalId": "Foo"
                }
    

    Why does the request fail from Chrome or curl but the same API test works fine from API Gateway?

  • Stretch
    Stretch over 7 years
    Hey Bob, can you expand a little more on how I would "configure my function to be invoked by API gateway", please?
  • Bob Kinney
    Bob Kinney over 7 years
    @Stretch You have to allow API Gateway to invoke your function. See this question for an example using the AWS CLI.
  • deddu
    deddu over 6 years
    This documentation page goes deeper in the details. Briefly, your api-gw needs to have Lambda/Invoke permissions. If you are defining your custom authorizer via swagger, ensure the role in authorizerCredentials has lambda/invoke and is assumable by api-gw (in the trusted entities).
  • Tom Bunting
    Tom Bunting almost 6 years
    subtle and unclear in documentation, but this exact mistake, from a python lambda authorizer, just caught me out too - thanks for the clarification
  • Kashyap
    Kashyap almost 6 years
    Not true. AuthorizerConfigurationException is for all Exceptions thrown during Authorizer execution, unless they're mapped using Gateway Response Mapping.
  • Bala
    Bala about 4 years
    For people still don't work, you might accessing the wrong header path in your authorizer script. Example: My Case: Wrong: event.headers.Authorization Actual: event.authorizationToken Full structure: { type: 'TOKEN', methodArn: 'arn:aws:execute-api:****', authorizationToken: 'Basic ****' } log your incoming and identify yours.
  • valearner
    valearner over 3 years
    aside from returning a json object, stackoverflow.com/a/38640522/5031727, and the issues Natan raised above, make sure the keys in the returned object are camelCased. but the error refers to a wide range of issues as others mentioned. good logging will be very helpful.
  • ChrisDevWard
    ChrisDevWard over 3 years
    > Its strange that the same lambda function did not error when I tested the API from API Gateway "test" feature. This is because using the "test" feature bypasses the authorizer and calls the lambda directly.