I have simple tutorial-level code for creating IAM Policy and Lambda.
Everything works fine on eu-central-1, but when I try to use eu-central-2 (Zürich):
both policy and lambda are created
Terraform is trying to get Code Signing Config (?):
[DEBUG] [aws-sdk-go] DEBUG: Response lambda/GetFunctionCodeSigningConfig Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden
X-Amzn-Errortype: AccessDeniedException
[DEBUG] [aws-sdk-go] DEBUG: Validate Response lambda/GetFunctionCodeSigningConfig failed, attempt 0/25, error AccessDeniedException:
status code: 403, request id: xxxx
[DEBUG] Unlocking "aws_lambda_function"
[DEBUG] Unlocked "aws_lambda_function"
Response contains error diagnostic: diagnostic_detail= tf_proto_version=5.3 diagnostic_summary="error getting Lambda Function (test_lambda) code signing config AccessDeniedException:
status code: 403, request id: xxx" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=9c3edc87-a488-26bc-cee0-f8b0289a6c22 tf_resource_type=aws_lambda_function #caller=github.com/hashicorp/terraform-plugin-go#v0.14.1/tfprotov5/internal/diag/diagnostics.go:55 #module=sdk.proto diagnostic_severity=ERROR tf_rpc=ApplyResourceChange timestamp=2022-11-23T18:23:31.673+0100
2022-11-23T18:23:31.682+0100 [ERROR] vertex "aws_lambda_function.hello_world" error: error getting Lambda Function (test_lambda) code signing config AccessDeniedException:
status code: 403, request id: xxx
The user is in the Group AdministratorAccess, which I assume should have access to all information. I tried adding AWSLambda_FullAccess or explicitly:
"lambda:UpdateCodeSigningConfig",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetCodeSigningConfig",
"lambda:CreateCodeSigningConfig",
"lambda:GetFunctionCodeSigningConfig"
and there's no difference.
It was actually a bug in Terraform. It got solved in 4.42.0:
https://github.com/hashicorp/terraform-provider-aws/pull/28008
If you found this question and see the same error message, please make sure that your region is on the list of support for AWS Signer: https://docs.aws.amazon.com/general/latest/gr/signer.html
As Terraform is leveraging this service, regions that do not support it need to be added to a special list before they'll work correctly. You'll need to file a bug on Github for it.
Related
The default API Gateway responses come in this form: {"message":$context.error.messageString}.
Changing this template via the console, to add wrap it in an "error" object for example, works fine. However, when I try it in CDK, it errors during deployment with Invalid mapping expression specified
Code (notice this is literally the default template):
webServiceApi.addGatewayResponse('4XX', {
type: apigw.ResponseType.DEFAULT_4XX,
responseHeaders: COMMON_HEADERS,
templates: {
'application/json': '{"message":$context.error.messageString}',
},
});
This happens with any change as well including all the AWS-written examples I could find. It's under-documented everywhere in AWS: CDK, SDK, API Gateway and CloudFormation so it's very difficult for me to figure out what's wrong there?
CloudFormation Error
Resource handler returned message: "Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: *] (Service: ApiGateway, Status Code: 400, Request ID: [TRUNCATED], Extended Request ID: null)" (RequestToken: [TRUNCATED], HandlerErrorCode: InvalidRequest)
Apparantly the error was not with the mapping template, it was the headers needed to "'*'" for the origin instead of "*". That is NOT a useful error message
I've read other similar posts with exact same error message, however my question is different.
I have an AWS ApiGateway in https://XXXXXXXX.execute-api.us-east-1.amazonaws.com/xxxx/users (from now I will call it as /users ).
I have implemented my ApiGateway to Lambda scripts with Cognito authorization, they work without problems, for example:
/users/me -> returns data of current logged user
The problem is when I call an unexistent route in ApiGateway, for example:
/users/mine123 -> it returns
{ "message":
"'my-cognito-user-id-token' not a
valid key=value pair (missing equal-sign) in Authorization header:
'Bearer my-cognito-user-id-token'." }
My question is... Is there a way to return a NotFound or BadRequest error when route in ApiGateway doesn't exist?
I think is possible implementing resource ANY, but, is there a "clean" way to do it without resource ANY?
Edit 1:
I tried Api Gateway response as well. I set a custom response, an status error code 404 for Resource Not Found but Api Gateway still returns 403 Forbidden.
Edit 2
I already have 4XX responses configured too:
And API Gateway always returns 403 error with this message (as expected for a generic 4XX error), however I think it doesn't make sense because is not a real Forbidden error it's a NotFound or BadRequest error.
For example,
A request to nonexistent route in Github API https://api.github.com/ROUTE_THAT_DOESNT_EXIST returns 404 NotFound.
A request to nonexistent route in StackExchange API https://api.stackexchange.com/ROUTE_THAT_DOESNT_EXIST returns 400 BadRequest.
None of them return 403 Forbidden.
Error message { "message": "token not a valid key=value pair Authorization header: 'Bearer token'. is thrown when "Resource path doesn't exist" with status 403 with a response header "x-amzn-ErrorType" = "IncompleteSignatureException"
A request with an "Authorization" header is sent to an API resource
path that doesn't exist.
We can customize response body in 'Gateway Response' section. There doesn't seem to specific Gateway Response like Unauthorized, Invalid Signature, etc for this scenario, Hence we need to configure Default 4XX
We can update status code and Response Templates. Unlike Integration Response on a successful request process, error gateway response template doesn't support full VTL template but only supports simple place holders.
Example configuration for application/json
{"message":"Invalid Resource","type": "$context.error.responseType","stage": "$context.stage"}
Will return
{
"message": "Invalid Resource",
"type": "DEFAULT_4XX",
"stage": "qa"
}
Not sure whether it is a cleaner way than your suggestion, however you can configure specific gateway response for the missing authentication token - https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-gateway-response-using-the-console.html
In the Gateway Responses pane, choose a response type. In this walkthrough, we use Missing Authentication Token (403) as an example.
You can change the API Gateway-generated Status Code to return a different status code that meets your API's requirements. In this example, the customization changes the status code from the default (403) to 404 because this error message occurs when a client calls an unsupported or invalid resource that can be thought of as not found.
I am trying to make a Lambda hit a HTTP endpoint and deliver some simple JSON - Lambda works completely fine and the URL is ok however when the JSON is trying to be delivered I see a 422 error [Error Cannot Process] when I check CloudWatch Logs. Any idea why this could be?
I have a Lambda function and when I call it from my React app I get the following 2 errors:
POST https://x7429ccke5.execute-api.eu-west-1.amazonaws.com/prod/sites 500
and
Uncaught (in promise) Error: Request failed with status code 500
at createError (createError.js:17)
at settle (settle.js:19)
at XMLHttpRequest.handleLoad (xhr.js:78)
I do not have a log in system on my website yet so I want to call the api without needed permission so on my serverless.yml, I have it as
functions:
# Defines an HTTP API endpoint that calls the main function in create.js
# - path: url path is /notes
# - method: POST request
# - cors: enabled CORS (Cross-Origin Resource Sharing) for browser cross
# domain api call
# - authorizer: authenticate using the AWS IAM role
createSite:
handler: CreateSite.main
events:
- http:
path: sites
method: post
cors: true
arn: "arn:aws:execute-api:eu-west-1:106845550704:x7429ccke5/*/POST/sites"
I am suspecting the problem is with API Gateway's integration with lambda. It's your API Gateway that is throwing the 500 error. Please check if your API Gateway is staged or not. If it's staged then check for this:
https://docs.aws.amazon.com/apigateway/latest/developerguide/amazon-api-gateway-using-stage-variables.html#call-api-http-backend-via-stage-variable
Let me know if it still doesn't work.
I have just set up Jenkins (v2.69) on an AWS EC2 instance and I am accessing it through a web browser (Chrome).
However, when reaching the 'Create First Admin User' page, when I click save and finish I am hit with the following issue.
No valid crumb was included in the request
And also receive this from the console:
Failed to load resource: the server responded with a status of 403 (No valid crumb was included in the request)
Is there something I am missing or have not set up?
I've been following this tutorial
Follow the following steps to avoid the error:
change to Jenkins user by using the following command
su – Jenkins –s /bin/bash
go to the config.xml and comment out the crumbIssuer from
/var/lib/Jenkins/config.xml: