Alex Lungu Alex Lungu - 28 days ago 10
Node.js Question

AWS API Gateway: Execution failed due to configuration error: Invalid JSON in response

I have an API gateway setup with a Custom Authorizer that calls a Lambda function. For testing purposes I copied the example from here: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html#api-gateway-proxy-integration-lambda-function-nodejs

I get the same answer as in the documentation but when I test the authorizer I get this stacktrace:

Endpoint request body after transformations: {"type":"TOKEN","authorizationToken":"test","methodArn":"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/"}
Authorizer result body before parsing: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
Execution failed due to configuration error: Invalid JSON in response: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
AuthorizerConfigurationException


Why doesn't the authorizer like the JSON response?

Answer Source

The authorizer response format is not the same as the integration proxy response format. I can see this is confusing!

The output of a custom authorizer should conform to this format:

{
  "principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client.
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow|Deny",
        "Resource": "arn:aws:execute-api:<regionId>:<accountId>:<appId>/<stage>/<httpVerb>/[<resource>/<httpVerb>/[...]]"
      }
    ]
  },
  "context": {
    "key": "value",
    "numKey": 1,
    "boolKey": true
  }
}

The principalId and policyDocument are required, and context is optional.

UPDATE:

The policyDocument is not user defined, it's the same syntax as a regular IAM policy that operates on the API Gateway actions and resources http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

There are also great blueprints in the Lambda web console for authorizers in python and node, and there is a Java blueprint here: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints