AWS API GW - token verification fails in custom authorizer

We have a set of microservices running in AWS/EKS/istio environment. These are used by other services (not users).

I am trying to use the AWS API Gateway to protect them as per the tutorial here β†’ Secure AWS API Gateway Endpoints Using Custom Authorizers

The standalone lambda function works fine. here is the output->

  "principalId": "jXNmQMqe896YQyROeih0L2IEWlXqBUiP@clients",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        "Action": "execute-api:Invoke",
        "Effect": "Allow",
        "Resource": "arn:aws:execute-api:eu-central-1:482548117076:99fpylmfz8/*/GET/pets"
  "context": {}

however, when im testing the custom-authorizer under the API GW pane, i get this error->
Execution log for request 0f605e1a-b4cb-4974-9040-b087d9188d9b
Thu May 06 03:30:13 UTC 2021 : Unauthorized request: 0f605e1a-b4cb-4974-9040-b087d9188d9b
Thu May 06 03:30:13 UTC 2021 : Unauthorized

im using the same token for both tests.

  "iss": "",
  "sub": "jXNmQMqe896YQyROeih0L2IEWlXqBUiP@clients",
  "aud": "api-gw-umapati",
  "iat": 1620271010,
  "exp": 1620357410,
  "azp": "jXNmQMqe896YQyROeih0L2IEWlXqBUiP",
  "gty": "client-credentials",
  "permissions": []

I did notice that the permission field is blank in the token. However, the API is protected using the below scope:

Assuming this is the cause of the issue, how do i get the permission updated in the access token? Since I am using the client id/secret to get one, I am not sure how do I go about assigning a role to this client id.

Pls advise.

Hi @umapati.singh,

Welcome to the Community!

If you go to your API settings in the dashboard, and select Machine to Machine Applications, and select the drop-down arrow for your application, you can grant specific permissions to the app you are using to make the M2M client credentials grant request.

The permissions should show up in the token after that. They will always appear as the scope claim. If you want them to appear in a permissions array, you will need to toggle on the Add Permissions in the Access Token setting.

Screen Shot 2021-05-07 at 12.36.47 PM

If that doesn’t solve the problem, let me know.

1 Like

thanks. that solved it. ur awesome!

1 Like

Thanks for following up! :grinning_face_with_smiling_eyes:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.