I have encountered this issue when trying to sam deploy my lambda function. I have found a link to the same issue here:
When using guided deploy and accepting the default options I receive a Security Constraints Not Satisfied! error. · Issue #1990 · awslabs/aws-sam-cli
However, even after reading through it and the docs, I do not understand how to fix it. Can somebody explain this to me?
This is normally happening for all those who are started with AWS SAM Hello World template and deploy without any changes or following AWS SAM tutorial. (Doesn't mean that you shouldn't start from that template or not use AWS SAM tutorial but you should add some more configurations to get rid of this message).
Here, AWS SAM is informing you that your application configures an API Gateway APIs without authorization. When you deploy the same application, AWS SAM creates a publicly available URL/API.
For getting rid of this message you need to define some access control mechanism for your API.
You can use AWS SAM to control who can access your API Gateway APIs by enabling authorization within your AWS SAM template.
example,
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
DefaultAuthorizer: MyLambdaTokenAuthorizer
Authorizers:
MyLambdaTokenAuthorizer:
FunctionArn: !GetAtt MyAuthFunction.Arn
MyAuthFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./src
Handler: authorizer.handler
Runtime: nodejs12.x
The above snippet is an example of an authorization mechanism called Lambda Authorizer. There are some other mechanisms too. Like, IAM Permissions, API Keys, etc.
You can find more information about these authorizations from following link
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-controlling-access-to-apis.html
Related
I am using SAM to develop a lambda that is triggered by SNS.
When I am using SAM, it seems I get API GATEWAY associated to the Lambda when I deploy.
It is nice in dev, but not in prod.
How would I develop a Lambda without deploying it attached to an API GATEWAY?
"I was not aware of Lambda runtime API"
Using the Lambda runtime API and the AWS SDKs, as a developer, you can build more flexible Lambda functions with the exact functionality that you want.
For example, you can build Lambda functions that can invoke multiple AWS Services to perform a given use case. For example, from a Lambda function, I want to detect PPE information in images within an Amazon S3 bucket, store the results in an Amazon DynamoDB table, and use the SES service to email the results.
Here are a few end to end tutorials.
For example - here are two JavaScript examples:
Creating and using Lambda functions
Creating scheduled events to execute AWS Lambda functions
Here are some Java runtime examples:
Creating an AWS Lambda function that detects images with Personal Protective Equipment
Creating an Amazon Web Services Lambda function that tags digital assets located in Amazon S3 buckets
Creating an ETL workflow by using AWS Step Functions and the AWS SDK for Java
UPDATE
Once you test your code in an IDE, deploy it and test it from the Lambda console. Once it is successfully invoked, you will see a message like this:
Another option I found, this time within SAM is define the function with a different Event source.
The Lambda will be exposed if it's event source is defined as Api
You can define it as many other things (S3,Sns,Sqs etc)
Here is an example of a function triggered by and http event via api gateway, and the other one, by Sns. The config for SNS is not complete, Check this link for full details https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md
in template.yaml Notice the Events section of each Lambda definition.
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: hello-world/
Handler: app.lambdaHandler
Runtime: nodejs14.x
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /hello
Method: get
BooBooFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: booboo/
Handler: app.lambdaHandler
Runtime: nodejs14.x
Events:
BooBoo:
Type: Sns # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
I've created AWS Lambda in C# using Visual Studio that returns some JSON from the API endpoint. Now I want to run that lambda locally. All the examples use AWS SAM, but they create a new function using the SAM template.
When I run the command sam local start-lambda I get an error saying that the template isn't found. So what is certain is that I need template.yaml, but I'm not sure is there a way to generate this template for existing Lambda?
Any help is appreciated!
Check out the Template Anatomy resource on the AWS documentation.
You might find this example helpful (it's greatly simplified). I use NodeJS for development, but the differences between programming languages when you're creating a SAM Template are trivial. The example is an outline for a simple Lambda function someFunction being invoked by an API Gateway (HTTP) event.
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: My Serverless Application
Parameters:
# Manually define this in AWS IAM for just the services needed.
lambdaExecutionRole:
Description: 'Required. The role used for lambda execution.'
Type: 'String'
Default: 'arn:aws:iam::nnnnnnnnnnnn:role/LambdaExecutionRole'
Globals:
Function:
Runtime: nodejs10.x
# Environment:
# Variables:
# NODE_ENV: test
# DEBUG: myapp:foo
Resources:
performSomeFunction:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: performSomeFunction
Handler: lambda.someFunction
CodeUri: ./
Description: description of the function being performed
MemorySize: 256
Timeout: 60
Role:
Ref: lambdaExecutionRole
Events:
# API Gateway proxy endpoint.
ProxyApiRoot:
Type: Api
Properties:
Path: '/'
Method: ANY
ProxyApiGreedy:
Type: Api
Properties:
Path: '/{proxy+}'
Method: ANY
As you're getting started with AWS Lambda, one of the big concepts to keep in mind is how your function will be triggered. Functions are triggered by different kinds of events, and there can be many many different types of events. I tend to use API Gateway, Simple Queue Service and CloudWatch Events to trigger mine, but it entirely depends on your use case.
It turned out that you can export Lambda function, and get the generated .yaml template, which was exactly what I needed.
I am using CloudFormation Boto3 APIs to create stack using createStack API. I am able to create stack if I pass a template which does not have a macro.
Ex -
Resources:
Bucket1:
Type: AWS::S3::Bucket
Bucket2:
Type: AWS::S3::Bucket
I have also created a macro which I am able to invoke through CLI and through CloudFormation UI. So basically I am using the above cloud-formation with added transform.
Transform: StackMetrics
Resources:
Bucket1:
Type: AWS::S3::Bucket
Bucket2:
Type: AWS::S3::Bucket
So as mentioned earlier it is working through CLI and UI, but not through API.
client = boto3.client('cloudformation')
response = client.create_stack(
StackName='MacroTestStack', TemplateURL='<path_to_above_template>',
Capabilities=['CAPABILITY_AUTO_EXPAND']
)
return response
I tried using CLI and UI.
If it works in the CLI and in the UI then it works in the API (the API being the underlying AWS API). I think you mean that it isn't working in the boto3 SDK (note SDK, not API, these are quite different things).
The most likely reason for this is that your boto3 SDK is back-level. Update it and retry.
PS if you make an SDK call and it doesn't work, usually there will be some kind of error message, error response code, or exception. Please provide that information so we don't have to guess.
I want to control access to my api gateway fronting lambda with iam permissions: https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
I have seen no examples of how to configure this in a sam template. What does a sam template look like that has authorizationType property set to AWS_IAM?
I think I read somewhere that Sam doesn't support this directly but you can do it with swagger? Can I use swagger to get around this limitation? I haven't found a simple example of that.
The SAM template for AWS::Serverless::Api does not provide the authorizationType. You could instead use the AWS::ApiGateway::Method in your SAM template, but that means you have to define your API Gateway using CloudFormation resource types rather than SAM.
You can use the DefaultAuthorizer: AWS_IAM under Auth:
Example:
Resources:
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
DefaultAuthorizer: AWS_IAM
More: IAM permission example
I'm trying to use AWS CloudFormation to manage my stack. I've created ApiGateway APIs through the AWS console before and it has worked fine. However, when I try to add an AWS::ApiGateway::RestApi in my CloudFormation stack template it fails to create the stack with the error Resource is not supported in this region.
Why would the result be different between the console and CloudFormation?
Thanks in advance,
Indigo
I already inform AWS CloudFormation team. They should solve this issue shortly. In the meanwhile, please use AWS API Gateway console or SDK to manage your API Gateway resources.
Thanks,
-Ka Hou
As of this writing, it is possible to create a CloudFormation resource of type AWS::ApiGateway::RestApi in the Sydney stack. Just tested that out myself by creating a test template in Syndey region:
Resources:
MyRestApi:
Type: "AWS::ApiGateway::RestApi"
Properties:
Name: "MyRestAPI"
just to add to it, now we have the edge functionality available with AWS, according to which deployment is now not restricted to region specific. With the Edge Functionality you can make your APIs Endpoint to be called from any region after deployed once.
so the CFT for the API to be Region independent can be described as
ApiGatewayRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: !Sub "API Name"
EndpointConfiguration:
Types:
- EDGE
Policy: ''
This will make sure the API Endpoint will be available to all the Regions.