I have an API in the API gateway, backed by a lambda function. Errors e.g. if the lambda function is running with a role not privileged to invoke lambda function are revealed directly in the API response, including the name of the role, the permission it doesn't have, and the name of the lambda function. Any code change in lambda function will not help because the lambda function did not even get invoked.
Questions to "Amazon Q" are either helping me to fix that role permission error, or to diagnose it with CloudWatch. But that is not my question - I just want errors to hide internal details whatever happens.
How do I configure API gateway to do that ?
You can change API Gateway default responses on the APIGW level (as opposed to lambda level) by changing Gateway responses. In the API Gateway console, the option you want is in your API => Gateway responses (on the left under your API name, as of 2024 UI) => pick the error code you want (some kind of 500/502/504 I assume) => edit.
Under the Mapping template, you will see something like
{"message":"$context.error.messageString"}. Replace the"$context.error.messageString"with whatever you like, e.g.{"message":"Error! Guess what happened!"}. Now that string will be returned instead of your application's exceptions.Relevant docs and semi-relevant question (it assumes your lambda is working, but the info on mapping templates is still relevant to your question):