Menu
I have an existing Lambda function called My-Authorizer. I'm trying to deploy an API Gateway using Serverless, with CloudFormation (CF) resources, one of which is an authorizer that targets this Lambda.
Resources:
ApiGateway:
Type: AWS::ApiGateway::RestApi
Properties:
Name: "${self:service}-test"
# other resources
MyAuthorizer:
Type: AWS::ApiGateway::Authorizer
DependsOn: ApiGateway
Properties:
Name: My-Authorizer
Type: REQUEST
RestApiId:
Ref: ApiGateway
AuthorizerUri: "arn:aws:apigateway:${self:custom.aws_region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${self:custom.aws_region}:${self:custom.aws_account_id}:function:My-Authorizer/invocations"
But CF gives a CREATE_FAILED for MyAuthorizer with the following Status reason:
Resource handler returned message: "Invalid request input (Service: ApiGateway, Status Code: 400, Request ID: <some-request-id>)" (RequestToken: <some-request-token>, HandlerErrorCode: AlreadyExists)
I've checked that MyAuthorizer is not already a resource in this stack.
Question: Why am I getting this error?
832
It is due to authorization caching is enabled by default and thus IdentitySource property is required by default. Specifying IdentitySource property or disabling authorization caching will fix the issue (see Edit 2 below).
Original (6/29/2022):
I experienced the same issue and after spending hours, I managed to solve it by adding IdentitySource property even though it is marked as required only when authorization caching is enabled. What leads me to the solution is the word "Invalid Request". And my authorizer looks like the following:
Resources:
APIGWAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: apigw-authorizer
IdentitySource: method.request.header.Authorization # customize to your need
RestApiId: !Ref ApiGateway
AuthorizerUri: # arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/{LambdaFunctionARN}/invocations
Type: REQUEST
Edit 1 (6/29/2022):
It automatically enabled authorization caching for me. The weird thing is I'm able to remove IdentitySource property and successfully update the stack. However, that didn't remove the actual Identity Source nor the Authorization Caching. So, I had to add AuthorizerResultTtlInSeconds property to disable the caching. And thus, to disable the caching, it becomes:
Resources:
APIGWAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: apigw-authorizer
AuthorizerResultTtlInSeconds: 0
IdentitySource: method.request.header.Authorization # customize to your need
RestApiId: !Ref ApiGateway
AuthorizerUri: # arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/{LambdaFunctionARN}/invocations
Type: REQUEST
Edit 2 (6/30/2022):
Found out that AuthorizerResultTtlInSeconds defaults to 300 is causing the error. So by default, authorization caching is enabled and thus IdentitySource property is actually required by default. I'm able to create a new authorizer without specifying IdentitySource property but it requires disabling the authorization caching.
Resources:
APIGWAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
Name: apigw-authorizer
AuthorizerResultTtlInSeconds: 0 # disable authorization caching
RestApiId: !Ref ApiGateway
AuthorizerUri: # arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/{LambdaFunctionARN}/invocations
Type: REQUEST
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
58
answered Sep 13 '25 22:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With