What is the problem?
API gateway does not create needed IAM roles to connect to an HTTP Lambda integration, this started when upgrading to CDK v2
Reproduction Steps
When using AWS-CDK 2.3.0-alpha.0
"@aws-cdk/aws-apigatewayv2-alpha": "2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-authorizers-alpha": "^2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.3.0-alpha.0"
We have 2 routes that point to the same integration, permissions in cloudformation are only created for the first one
const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);
props.httpApi.addRoutes({
path: '/hr/jobs',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});
props.httpApi.addRoutes({
path: '/hr/job/{reqId}',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});cloudformation:
"HttpApiGEThrjobsJobsIntegrationPermissionFFAB51F1": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::ImportValue": "OutputFnGetAttJobsFunction382FBD18Arn3EEB55F3"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":execute-api:us-east-1:123:",
{
"Ref": "HttpApiF5A9A8A7"
},
"/*/*/hr/jobs"
]
]
}
},
"Metadata": {
"aws:cdk:path": "/ApiGateway/HttpApi/GET--hr--jobs/JobsIntegration-Permission"
}API gateway access logs:
{
"requestId": "=",
"ip": "",
"requestTime": "28/Dec/2021:16:25:46 +0000",
"httpMethod": "GET",
"routeKey": "GET /hr/job/{reqId}",
"status": "500",
"protocol": "HTTP/1.1",
"responseLength": "35",
"contenxtError": "Internal Server Error",
"integrationErrorMessage": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."
}What did you expect to happen?
It to create permissions for both routes
What actually happened?
It only created for the first route - see above cloudformation output
work around is as follows - create a new integration linked to the same function
const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);
**const jobIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobIntegration', jobsFunction);**
props.httpApi.addRoutes({
path: '/hr/jobs',
methods: [ apiGateway.HttpMethod.GET ],
integration: jobsIntegration,
authorizer: props.Authorizer
});
props.httpApi.addRoutes({
path: '/hr/job/{reqId}',
methods: [ apiGateway.HttpMethod.GET ],
integration: **jobIntegration** ,
authorizer: props.Authorizer
});CDK CLI Version
2.3.0
Framework Version
No response
Node.js Version
14.18.0
OS
Windows 11
Language
Typescript
Language Version
4.5.2
Other information
No response
What is the problem?
API gateway does not create needed IAM roles to connect to an HTTP Lambda integration, this started when upgrading to CDK v2
Reproduction Steps
When using AWS-CDK 2.3.0-alpha.0
We have 2 routes that point to the same integration, permissions in cloudformation are only created for the first one
cloudformation:
API gateway access logs:
{ "requestId": "=", "ip": "", "requestTime": "28/Dec/2021:16:25:46 +0000", "httpMethod": "GET", "routeKey": "GET /hr/job/{reqId}", "status": "500", "protocol": "HTTP/1.1", "responseLength": "35", "contenxtError": "Internal Server Error", "integrationErrorMessage": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again." }What did you expect to happen?
It to create permissions for both routes
What actually happened?
It only created for the first route - see above cloudformation output
work around is as follows - create a new integration linked to the same function
CDK CLI Version
2.3.0
Framework Version
No response
Node.js Version
14.18.0
OS
Windows 11
Language
Typescript
Language Version
4.5.2
Other information
No response