API 网关 CreateAuthorizer 因 InternalFailure 而失败
API Gateway CreateAuthorizer fails with InternalFailure
当我尝试使用 CloudFormation 为我的 AWS API 网关创建自定义授权者时,它冻结并一直尝试执行 CreateAuthorizer 调用,但失败了。这是我可以重现该行为的最小 CloudFormation 模板:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
ApiGatewayV1:
Type: "AWS::ApiGateway::RestApi"
Properties:
Name: "test"
ApiAuthorizerV1:
Type: "AWS::ApiGateway::Authorizer"
Properties:
RestApiId: !Ref "ApiGatewayV1"
Name: "test"
Type: "TOKEN"
AuthorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda::${AWS::AccountId}:function:${!stageVariables.AuthorizerLambdaName}/invocations"
IdentitySource: "method.request.header.Authorization"
AuthorizerResultTtlInSeconds: 3600
CloudTrail 日志:
"errorCode": "InternalFailure",
"errorMessage": "An unknown error occurred",
"requestParameters": {
"restApiId": "lweme6j3wk",
"createAuthorizerInput": {
"providerARNs": [],
"identitySource": "method.request.header.Authorization",
"authorizerResultTtlInSeconds": 3600,
"type": "TOKEN",
"name": "test",
"authorizerUri": "arn:aws:apigateway:eu-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda::<ACCOUNT_ID>:function:${stageVariables.AuthorizerLambdaName}/invocations"
},
"template": false
},
"responseElements": null,
"requestID": "470e2efa-d3c1-11e7-b0cc-b7fd2383ef6b",
"eventID": "2ceccaa5-9b97-4b1e-93e5-3c4e6bca419d",
好吧,那真是个奇怪的晚餐。当我在目标 lambda ARN 中明确指定区域时,它起作用了!
已替换:
arn:aws:lambda::<ACCOUNT_ID>
与:
arn:aws:lambda:<REGION>:<ACCOUNT_ID>
(是的,它适用于 ${AWS::Region}:${AWS::AccountId} 占位符,我使用固定值来检查。
当我尝试使用 CloudFormation 为我的 AWS API 网关创建自定义授权者时,它冻结并一直尝试执行 CreateAuthorizer 调用,但失败了。这是我可以重现该行为的最小 CloudFormation 模板:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
ApiGatewayV1:
Type: "AWS::ApiGateway::RestApi"
Properties:
Name: "test"
ApiAuthorizerV1:
Type: "AWS::ApiGateway::Authorizer"
Properties:
RestApiId: !Ref "ApiGatewayV1"
Name: "test"
Type: "TOKEN"
AuthorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda::${AWS::AccountId}:function:${!stageVariables.AuthorizerLambdaName}/invocations"
IdentitySource: "method.request.header.Authorization"
AuthorizerResultTtlInSeconds: 3600
CloudTrail 日志:
"errorCode": "InternalFailure",
"errorMessage": "An unknown error occurred",
"requestParameters": {
"restApiId": "lweme6j3wk",
"createAuthorizerInput": {
"providerARNs": [],
"identitySource": "method.request.header.Authorization",
"authorizerResultTtlInSeconds": 3600,
"type": "TOKEN",
"name": "test",
"authorizerUri": "arn:aws:apigateway:eu-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda::<ACCOUNT_ID>:function:${stageVariables.AuthorizerLambdaName}/invocations"
},
"template": false
},
"responseElements": null,
"requestID": "470e2efa-d3c1-11e7-b0cc-b7fd2383ef6b",
"eventID": "2ceccaa5-9b97-4b1e-93e5-3c4e6bca419d",
好吧,那真是个奇怪的晚餐。当我在目标 lambda ARN 中明确指定区域时,它起作用了!
已替换:
arn:aws:lambda::<ACCOUNT_ID>
与:
arn:aws:lambda:<REGION>:<ACCOUNT_ID>
(是的,它适用于 ${AWS::Region}:${AWS::AccountId} 占位符,我使用固定值来检查。