AWS API Gateway error: API Gateway does not have permission to assume the provided role as S3 proxy
To fix this, go to the definition of your Role in the IAM and select the Trust Relationships tab. From here edit the policy and for the Principal Service add in apigateway.amazonaws.com as seen below.
This will grant the API Gateway the ability to assume roles to run your function in addition to the existing Lambda permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.amazonaws.com","lambda.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
Kurt Campher
Updated on July 14, 2022Comments
-
Kurt Campher almost 2 years
There are similar questions but they have answers that I have tried. I'm not sure what I could be doing wrong but any help would appreciated.
Test details:
The Error from a method-execution test; PUT request:
Execution log for request test-request Mon Oct 16 10:13:47 UTC 2017 : Starting execution for request: test-invoke-request Mon Oct 16 10:13:47 UTC 2017 : HTTP Method: PUT, Resource Path: /pop-data-xmlz/test.xml Mon Oct 16 10:13:47 UTC 2017 : Method request path: {item=test.xml, folder=pop-data-xmlz} Mon Oct 16 10:13:47 UTC 2017 : Method request query string: {} Mon Oct 16 10:13:47 UTC 2017 : Method request headers: {Content-Type=application/xml} Mon Oct 16 10:13:47 UTC 2017 : Method request body before transformations: <test> test string </test> Mon Oct 16 10:13:47 UTC 2017 : Request validation succeeded for content type application/json Mon Oct 16 10:13:47 UTC 2017 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role Mon Oct 16 10:13:47 UTC 2017 : Method completed with status: 500I am following the API Gateway To S3 tutorial (http://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html) and attempting to execute a PUT request.
The API Gateway is in us-east-1 and the S3 bucket in us-east-2.
The created Role: APIGatewayProxyCustom
A policy (pop-date-ingest) is attached that allows PUT request to S3 buckets.
The Role has a trust relationship set:
-
Clive Sargeant over 6 yearsThanks very much! Stopped me from going insane. Once again the official docs don't mention this, very bad on their part!
-
Vijayanath Viswanathan over 6 yearsyou are welcome @CliveSargeant. Good to know it helps :) -
VenVig over 5 yearsThank you @VijayanathViswanathan. Very helpful.
-
Vitaly Zdanevich over 4 yearsBut in question I see Trust Relationship with the same JSON. -
Sahan Amarsha almost 3 yearsThank you very helpful for AWS Educate Users! -
Jazzy about 2 yearsIf not for helpful answers like this that fill in where AWS dropped the ball.... thank you so very much. -
William Ardila about 2 years@VitalyZdanevich the difference (at least for me) was to add the square brackets in service, around "apigateway.amazonaws.com"
-
Muhammad Zawawi almost 2 yearsAlmost 2 hours figured out why and this is the answer !! Tq
