By default, when the Lambda Invoke API rejects a call before the function runs (for example, a 400 Bad Request or 403 Forbidden), Kong Gateway returns a generic HTTP 500 to the client.
This makes it difficult to distinguish authorization failures from bad requests.
You can enable config.preserve_lambda_api_error_code to return the original 4xx or 5xx status code from the Lambda API instead.
This setting only applies when the Lambda Invoke API itself returns status >= 400, and doesn’t affect errors raised inside a successfully invoked function.
Kong Gateway sanitizes the client response body to {"message":"Upstream Lambda invocation failed"} and never exposes AWS error messages or ARNs to clients.
If the Kong Gateway log level is set to error, it logs the full error detail regardless of this setting. For example:
AWS Lambda API returned error: <msg>, status code: <code>`.