I am trying to call the detectText method from Rekognition framework and it failed to call S3 bucket. I am not sure how to give roles in SAM Template. Below is my SAM template
GetTextFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: gettextfn/
Handler: text.handler
Runtime: nodejs12.x
Timeout: 3
MemorySize: 128
Environment:
Variables:
imagebucket: !Ref s3bucket
Events:
TextApiEvent:
Type: HttpApi
Properties:
Path: /gettext
Method: get
ApiId: !Ref myapi
Looks like your lambda needs RekognitionDetectOnlyPolicy and also looks you miss the policy to read/write data from S3 bucket also. Have a look at below Policies: added after Environment:
Environment:
Variables:
imagebucket: !Ref s3bucket
Policies:
- S3ReadPolicy:
BucketName: !Ref s3bucket
- RekognitionDetectOnlyPolicy: {}
Events:
You can refer the complete list of AWS SAM policy templates here https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html
Also have a look at a sample template here
https://github.com/rollendxavier/serverless_computing/blob/main/template.yaml
Related
I have an AWS SAM template defining, amongst many other things, a JavaScript Lambda:
Resources:
notesFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Zip
CodeUri: notes/
Handler: app.lambdaHandler
Runtime: nodejs18.x
Policies:
- AmazonDynamoDBFullAccess
Architectures:
- x86_64
Events:
Fetchnotes:
Type: Api
Properties:
Path: /notes
Method: get
Givenotes:
Type: Api
Properties:
Path: /notes
Method: post
Users:
Type: Api
Properties:
Path: /notes/users
Method: get
Metadata:
BuildMethod: esbuild
BuildProperties:
Minify: true
Target: "es2020"
Sourcemap: true
EntryPoints:
- app.ts
Later on in the template, I am trying to reference this Lambda's role (example: Role: !Ref <MyLambdaRole>) but not sure how to do that, since the role is created on the fly when deploying the SAM template (CloudFormation stack). Any ideas how I can do this?
If you do not provide a role in your AWS::Serverless::Function definition, SAM creates a role with a Logical ID of <function‑LogicalId>Role.
In your case, this would be !Ref notesFunctionRole.
Pretty new to AWS Lambda function, and this is my time to get my hands dirty. I got this error in the title when I wanted to docker build my function. And here is how I configured my function:
PitchAiIngest:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub pitch-ai-ingest-${Environment}
Handler: lambda_function.lambda_handler
Runtime: python3.7
CodeUri: pitchai_ingest/
Description: get pitchai information from API and publish to dynamodb
MemorySize: 128
Timeout: 900
Role: !GetAtt LambdaRole.Arn
Environment:
Variables:
LOGGING_LEVEL: INFO
APP_NAME: pitch-ai-ingest
APP_ENV: !Ref Environment
DYNAMO_DB: !Ref PitchAiEventDynamoDBTable
PLAYER_DB: !Ref PitchAiPlayerDynamoDBTable
PITCH_SQS: !Ref PitchAiIngestQueue
Tags:
env: !Ref Environment
service: pitch-ai-service
function_name: !Sub pitch-ai-ingest-${Environment}
Roughly speaking, I post the snippet above in file cfn-tempate.yml under the same directory of folder pitchai_ingest (including Lambda handler).
What should I do to fix it?
I mistakenly set AWS_ACCESS_KEY_ID as AWS_ACCESS_KEY. That's why the credential wasn't found.
I am trying to get my lambda to run when an image is added to a "folder" in an s3 bucket. Here is the template
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: 1. Creates the S# bucket that sotres the images from the camera.\n
2. Resizes the images when a new image shows up from a camera.\n
3. Adds a record of the image in the DB.
Globals:
Function:
Timeout: 10
Parameters:
DeploymentStage:
Type: String
Default: production
Resources:
CameraImagesBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub
- com.wastack.camera.images.${stage}
- { stage: !Ref DeploymentStage }
CreateThumbnailFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: image_resize/
Handler: app.lambda_handler
Runtime: python3.8
Description: Creates a thumbnail of images in the camare_images bucket
Policies:
- S3ReadPolicy:
BucketName: !Sub
- com.wastack.camera.images.${stage}
- { stage: !Ref DeploymentStage }
- S3WritePolicy:
BucketName: !Sub
- com.wastack.camera.images.${stage}
- { stage: !Ref DeploymentStage }
Events:
CameraImageEvent:
Type: S3
Properties:
Bucket:
Ref: CameraImagesBucket
Events:
- 's3:ObjectCreated:*'
Filter:
S3Key:
Rules:
- Name: prefix
Value: camera_images
When I look at the lambda created on the AWS console, I do not see the trigger even in the lambda visualiser. The lambda doesn't event have the s3 read and write policies attached to it.
The s3 bucket and the lambda are created, but the policies and triggers that are supposed to connect them are not created.
I did not get any error when I run sam deploy
Question: why did it not attach the s3 trigger event or the s3 access policies to the lambda function?
Policies for s3 So the template is straight forward. If you place the full template in does it work. If that is also failing, check the permissions on what you're running SAM as. Also there's an open ticket on github, This appears to be your issue. See comments.
I created following yml file to deploy with SAM in AWS. But when I added the Role it fails with error "UPDATE_ROLLBACK_COMPLETE. Reason: No reason was provided.". Why does it happens?
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub 'awscodestar-${ProjectId}-lambda-HelloWorld'
Handler: index.handler
Runtime: python3.7
Role: arn:aws:iam::790615885331:role/lambda_dynam
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
PostEvent:
Type: Api
Properties:
Path: /
Method: post
It fails if I completely remove the Role and it works only if I added following expression as the Role
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
I want to add a already created role.
I'm trying to set up a local dev environment for my Lambda functions using SAM. I had everything working until I added a reference to a layer in my configuration.
I followed the instructions here: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-layers.html. I added my ARN for my layer version in my template.ymal as follows:
# template.ymal
TestLayerFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: TestLayer
Role: arn:aws:iam::111111111111:role/ReadStreamingTable
CodeUri: src/streaming/test-layer/
Handler: app.handler
Runtime: nodejs8.10
Layers:
- arn:aws:lambda:eu-west-1:111111111111:layer:Global:7
However when running a "sam local invoke" I get the following error:
botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL:
"https://lambda.eu-west-1a.amazonaws.com/2018-10-31/layers/arn%3Aaws%3Alambda%3Aeu-west-1%3A111111111111%3Alayer%3AGlobal/versions/7"
The way I've added the layer ARN in the configuration seems to be exactly how they do it in the example so I'm not sure what is causing the error.
I know it's not exactly a solution but can you not have your layer as part of your SAM file?
If you have a look on this article on the AWS site they use both the layer and the lambda function on the same yaml file so you'd end up with something like this:
Resources:
TempConversionFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.lambdaHandler
Layers:
- !Ref TempConversionDepLayer
Events:
HelloWorld:
Type: Api
Properties:
Path: /{conversion}/{value}
Method: get
TempConversionDepLayer:
Type: AWS::Serverless::LayerVersion
Properties:
LayerName: sam-app-dependencies
Description: Dependencies for sam app [temp-units-conv]
ContentUri: dependencies/
CompatibleRuntimes:
- nodejs6.10
- nodejs8.10
LicenseInfo: 'MIT'
RetentionPolicy: Retain