We have a requirement to write custom logs for the application to capture the things like who did what and when.
To do that we have created a Lambda to insert the logs in DynamoDb database. We need this Lambda to be called from a common place every time we call an API from frontend of the application instead of invoking it in each and every individual lambdas.
We tried invoking this in the API Gateway Authorizer but it doesn't work because our gateway authorizer is of type 'Token'. So, it does not accept any other parameters than access token. We cannot change the type of custom authorizer to type 'Request' because we need access token to be present for authorizing user in Cognito.
Question:
Is there any place where we can invoke this Logs Lambda so that it executes when each API is called?
Your last paragraph makes no sense but typically the best way to do this is streaming, as this minimises the amount of Lambda invocations you need to make.
You can stream API Access logs which contain things like the path, current time, principal to a cloudwatch log streams, or a lambda.
In this lambda you can do your custom logging logic there. If you have other sources which will have different types of events you may need to use Kinesis directly for streaming.
try using a different event trigger. If your lambda can get triggered by a queue or cloudfront you won't have authorization problems. however your application has to assume a suitable role to use some of these. If you're using Java, you can intercept your request in many ways and make the lambda call via SDK before processing the API. Need more details to provide a holistic solution.
Related
I'm using serverless framework to enable hosting my functions on AWS Lambdas. For development, I'm using Kotlin.
Since I wanted to re-use resources ( like DB connection ) by a particular lambda, I have grouped apis which have the same handler function. Like all /posts related apis will be handled by PostHandler. Internally, based on routeKey, I'm assigning requests to concerned functions.
This means that for all /posts endpoints ( like GET /posts/{id}, POST /posts etc.) they all get logged to the same CloudWatch log group. This was becoming a problem. Since I was using an API Gateway, I also enable access logging at API Gateway level. This resolved my issue when I'm directly hitting an api.
However, I also have a service which would like to call these lambdas directly ( it could be lambda of that service invoking lambdas of my service or an EC2/ECS instance invoking lambdas of my service ). In this case, we would directly be using lambdas and no ApiGateway is involved. How can I maintain logging for different endpoints in this case?
It's hard to tell what the actual question is, I think you're saying that it's hard to differentiate between the different use cases and requests?
I would recommend using structured logs (logging as JSON) and then using CloudWatch Logs Insights to query for the specific information you need. For example, you could log a request-id with each message and then query on the request-id later. You could also do the same with a shared id between other services which would give you end-to-end log visibility.
I am trying to orchestrate UI calls using step function with the minimal impact. Currently I have a lambda function that can be called using different URLs via API gateway, for instance, following URLs are used to call the same lambda:
http://base.url/orders/get/order/{userid}
http://base.url/orders/get/allorders/
I know that it isn't a best practice for lambdas, but we have what we have. Now I need to add a step function between API gateway and lambda to orchestrate calls. I need step function to be able to call step function using these urls, but I cannot understand how to do that.
Here are some links that I already checked:
https://docs.aws.amazon.com/step-functions/latest/dg/concepts-input-output-filtering.html
https://docs.aws.amazon.com/step-functions/latest/dg/amazon-states-language-paths.html
https://docs.aws.amazon.com/step-functions/latest/dg/connect-parameters.html
Is there a way to do what I need to do?
It sounds like you just need to format the message to the lambda in a way that looks like what would be coming from the API Gateway. If that's the case you can see what an API Gateway request would look like by selecting Amazon API Gateway AWS Proxy from the lambda test events in the console. From there you should be able to modify the payload to match your needs.
I have a REST API built using API Gateway with a couple of methods. I need to run a POST request on a method /generate-stats once a week. I currently call this method through the AWS console by pasting a request body into the "Test" feature that exists in API Gateway under the Method Execution flowchart.
How would I go about automating this call? Would a lambda that runs once a week be the simplest solution? Ideally I can store the response or trigger an alarm if the request fails.
If you want to automate a request to happen once a week you would want to look at using Amazon EventBridge.
The service itself supports either being triggered by an event (such as a new PutObject into S3 or an instance being launched) or can run based on a schedule. You would want to use the latter to set a cron expression for running this.
The next part of the rule is the target which in this case are a couple of approaches.
API Gateway requests are a supported target from within the event. If the supported functionality with EventBridge is suitable for you then you will be able to perform the request directly without any additional services.
If additional functionality is required you would need to create a Lambda function that could perform the request to API Gateway. This Lambda would then be the trigger for the event leading to the same functionality being performed.
You can build a Lambda function that can use code to perform a POST request. Then you can use scheduled events to schedule when the Lambda function will be invoked. Using a CRON expression, you can schedule your Lambda to fire once a week. For details, see:
Schedule AWS Lambda Functions Using CloudWatch Events
I am developing a simple Lambda function on AWS to get and put data into Dynamo DB. I wanted to call this function from the Windows Client desktop application. My question is, do I really need AWS Gateway API here or can I call the lambda function directly using AWS SDK?
You can use invoke() to directly execute an AWS Lambda function from an AWS SDK. You can also pass it a payload, which will be accessible within the function.
Here is a syntax example in Python:
response = client.invoke(
ClientContext='MyApp',
FunctionName='MyFunction',
InvocationType='Event',
LogType='Tail',
Payload='fileb://file-path/input.json',
Qualifier='1',
)
You need API Gateway if you want to create REST APIs that mobile and web applications can use to call publicly available AWS services (through code running in AWS Lambda).
You can synchronous invoke your Lambda functions. This can be accomplished through a variety of options, including using the CLI or any of the supported SDKs. Note the invocation-type should be RequestResponse aws blog
bash command using aws cli
aws lambda invoke —function-name MyLambdaFunction —invocation-type RequestResponse —payload “JSON string here”
sdk python call. configuration
invoke_resp = LAMBDA_CLIENT.invoke(
FunctionName='function_name',
InvocationType='RequestResponse',
Payload='payload')
If you want to invoke the lambda asynchronous Invocation-type flag should be Event
aws lambda invoke —function-name MyLambdaFunction —invocation-type Event —payload “JSON string here”
I don't have much information from your use case. I have to assume something here.
You don't need to wait for the response back from Lambda
So you can use async call through SNS or SQS and then put your Lambda subscribed for either SNS or SQS. You can research more to choose between SNS and SQS, depends on your use case
If you need to wait for the response back from Lambda
If you want to share the Lambda's feature outside your organization, you can use API Gateway to do so, it means you still keep Lambda inside but expose an API through API Gateway to outside for usage.
If you don't want to share the Lambda's feature outside, like previous answers, you can use invoke command/sdk to achieve the result.
If I have more information from your use case, maybe the answer can be more accurate.
I want to publish my application and provide lambdas to other so that I want that on exporting the lambda package no one can get the lambda code.
You should create an API Gateway which will connect the application to your Lambda code. Give that API endpoint URL to the others and they will call your Lambda function through that. This way they cannot know what's going on in your Lambda code.
Ideal way is to use API gateway and use it as trigger for your Lambda and share that endpoint to the users.
However if you don't want that you should probably consider cross account access with cross account role (give permission to execute just the Lamnda you want to expose & setup trust relationship) . Let them assume this role and call this lambda.