I created following yml file to deploy with SAM in AWS. But when I added the Role it fails with error "UPDATE_ROLLBACK_COMPLETE. Reason: No reason was provided.". Why does it happens?
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub 'awscodestar-${ProjectId}-lambda-HelloWorld'
Handler: index.handler
Runtime: python3.7
Role: arn:aws:iam::790615885331:role/lambda_dynam
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
PostEvent:
Type: Api
Properties:
Path: /
Method: post
It fails if I completely remove the Role and it works only if I added following expression as the Role
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
I want to add a already created role.
Related
I have an AWS SAM template defining, amongst many other things, a JavaScript Lambda:
Resources:
notesFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Zip
CodeUri: notes/
Handler: app.lambdaHandler
Runtime: nodejs18.x
Policies:
- AmazonDynamoDBFullAccess
Architectures:
- x86_64
Events:
Fetchnotes:
Type: Api
Properties:
Path: /notes
Method: get
Givenotes:
Type: Api
Properties:
Path: /notes
Method: post
Users:
Type: Api
Properties:
Path: /notes/users
Method: get
Metadata:
BuildMethod: esbuild
BuildProperties:
Minify: true
Target: "es2020"
Sourcemap: true
EntryPoints:
- app.ts
Later on in the template, I am trying to reference this Lambda's role (example: Role: !Ref <MyLambdaRole>) but not sure how to do that, since the role is created on the fly when deploying the SAM template (CloudFormation stack). Any ideas how I can do this?
If you do not provide a role in your AWS::Serverless::Function definition, SAM creates a role with a Logical ID of <function‑LogicalId>Role.
In your case, this would be !Ref notesFunctionRole.
I am trying to call the detectText method from Rekognition framework and it failed to call S3 bucket. I am not sure how to give roles in SAM Template. Below is my SAM template
GetTextFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: gettextfn/
Handler: text.handler
Runtime: nodejs12.x
Timeout: 3
MemorySize: 128
Environment:
Variables:
imagebucket: !Ref s3bucket
Events:
TextApiEvent:
Type: HttpApi
Properties:
Path: /gettext
Method: get
ApiId: !Ref myapi
Looks like your lambda needs RekognitionDetectOnlyPolicy and also looks you miss the policy to read/write data from S3 bucket also. Have a look at below Policies: added after Environment:
Environment:
Variables:
imagebucket: !Ref s3bucket
Policies:
- S3ReadPolicy:
BucketName: !Ref s3bucket
- RekognitionDetectOnlyPolicy: {}
Events:
You can refer the complete list of AWS SAM policy templates here https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html
Also have a look at a sample template here
https://github.com/rollendxavier/serverless_computing/blob/main/template.yaml
Hi I am using AWS SAM to deploy a serverless application that also relies on 1Click devices I have the template deploying fine but I have to exclude this value:
CallbackOverrides:
onClickCallback:
here is the template file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: securitybutton
Globals:
Function:
Timeout: 10
Resources:
SecurityButtonFunction:
Type: AWS::Serverless::Function
Policies:
- AmazonSNSFullAccess
Properties:
CodeUri: src
Handler: index.lambdaHandler,
Runtime: nodejs12.x
MemorySize: 512
Events:
IoTRule:
Type: IoTRule
Properties:
Sql: SELECT * FROM 'iotbutton/*'
#TOPICS
BRSecurityButtonTopic:
Type: AWS::SNS::Topic
#IoT
#project
BRSecurityButtonProject:
Type: "AWS::IoT1Click::Project"
Properties:
ProjectName: "BRSecurityButton"
Description: "BRSecurityButton"
PlacementTemplate:
DefaultAttributes:
SNSTopic: Changeme
Location: Changeme
Theatre: Changeme
DeviceTemplates:
SecuityButtonTemplate:
DeviceType: "button"
CallbackOverrides:
onClickCallback: !GetAtt
- SecurityButtonFunction
- Arn
Outputs:
SecurityButtonFunction:
Description: "Security Button Lambda Function ARN"
Value: !GetAtt SecurityButtonFunction.Arn
Here is the resulting cloudFormation error:
Lambda function
arn:aws:lambda:us-east-1:LALALALALALA:function:securitybutton-prod-SecurityButtonFunction-6OB47JEIU192
cannot be invoked. (Service: AWSIoT1ClickProjects; Status Code: 400;
Error Code: InvalidRequestException; Request ID:
f0e94cd5-0310-4dcf-8d4a-a5ee8b102590; Proxy: null)
on the logical ID of BRSecurityButtonProject
any help would be appreciated
I found that the issue was related to IAM. Added this to the SAM template, which granted access for any IoT 1-click projects in the account to invoke the Lambda function.
SecurityButtonFunctionIoTPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt SecurityButtonFunction.Arn
Action: lambda:InvokeFunction
Principal: iot1click.amazonaws.com
SourceAccount: !Ref "AWS::AccountId"
I get the following error upon attempting to sam deploy --guided my lambda application.
Error: Failed to create changeset for the stack: {stack-name}, An error occurred (ValidationError) when calling the CreateChangeSet operation: Stack:arn:aws:cloudformation:ap-southeast-2:014009325916:stack/{stack-name}/f2212bf0-bb41-11ea-8ef3-0aa7af0536b6 is in ROLLBACK_COMPLETE state and can not be updated.
Some further context into this issue is that all of my lambda functions do not have authorization defined. Not sure if that is related but I'm stating it in the case that it is.
I frankly have no idea how to go about this issue. Any help is appreciated.
===
Context: Building an automated trading system
Request for Cloudformation Template:
yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: A tradingview alert wrapper that interprets alerts and makes trades according to them.
Globals:
Function:
# CodeUri: function/.
# Runtime: python3.8
# Policies:
# - AWSLambdaFullAccess
# Tracing: Active
# Timeout: 30
Environment:
Variables:
APIKEY: ""
SECRETKEY: ""
Resources:
tradeFunction:
Type: AWS::Serverless::Function
Properties:
Handler: app.trade
Description: The primary execution function
CodeUri: function/.
Runtime: python3.8
Policies:
- AWSLambdaFullAccess
Tracing: Active
Timeout: 60
Events:
inputResponse:
Type: Api
Auth:
ApiKeyRequired: false
Authorizer: NONE
Properties:
Path: /trade
Method: post
printAccountBalanceFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: function/.
Runtime: python3.8
Policies:
- AWSLambdaFullAccess
Tracing: Active
Timeout: 30
Handler: app.print_account_balance
Description: Returns account balance over time or trade
Events:
inputResponse:
Type: Api
Properties:
Path: /print_account_balance
Method: get
startTradesFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: function/.
Runtime: python3.8
Policies:
- AWSLambdaFullAccess
Tracing: Active
Timeout: 30
Handler: app.start_trades
Description: Resets trade log for a fresh start
Events:
inputResponse:
Type: Api
Properties:
Path: /start_trades
Method: get
retrieveTradeLogFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: function/.
Runtime: python3.8
Policies:
- AWSLambdaFullAccess
Tracing: Active
Timeout: 30
Handler: app.retrieve_trade_log
Description: Return all the trade logs in the dyanamoDB database
Events:
inputResponse:
Type: Api
Properties:
Path: /retrieve_trade_log
Method: get
The error is encountered to my understanding when one does an initial deployment and that initial deployment fails. As a result of this, something breaks and the deployment service can not execute successfully. To fix this issue, simple delete the aws cloudformation stack and redeploy.
One can use the following command to delete:
aws cloudformation delete-stack --stack-name <insert stack-name>
Reference
Might need to run sam build first so your resources can get the latest changes
I'm trying to set up a local dev environment for my Lambda functions using SAM. I had everything working until I added a reference to a layer in my configuration.
I followed the instructions here: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-layers.html. I added my ARN for my layer version in my template.ymal as follows:
# template.ymal
TestLayerFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: TestLayer
Role: arn:aws:iam::111111111111:role/ReadStreamingTable
CodeUri: src/streaming/test-layer/
Handler: app.handler
Runtime: nodejs8.10
Layers:
- arn:aws:lambda:eu-west-1:111111111111:layer:Global:7
However when running a "sam local invoke" I get the following error:
botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL:
"https://lambda.eu-west-1a.amazonaws.com/2018-10-31/layers/arn%3Aaws%3Alambda%3Aeu-west-1%3A111111111111%3Alayer%3AGlobal/versions/7"
The way I've added the layer ARN in the configuration seems to be exactly how they do it in the example so I'm not sure what is causing the error.
I know it's not exactly a solution but can you not have your layer as part of your SAM file?
If you have a look on this article on the AWS site they use both the layer and the lambda function on the same yaml file so you'd end up with something like this:
Resources:
TempConversionFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.lambdaHandler
Layers:
- !Ref TempConversionDepLayer
Events:
HelloWorld:
Type: Api
Properties:
Path: /{conversion}/{value}
Method: get
TempConversionDepLayer:
Type: AWS::Serverless::LayerVersion
Properties:
LayerName: sam-app-dependencies
Description: Dependencies for sam app [temp-units-conv]
ContentUri: dependencies/
CompatibleRuntimes:
- nodejs6.10
- nodejs8.10
LicenseInfo: 'MIT'
RetentionPolicy: Retain