I created an API by AWS API Gateway and Lambda that is same 'https://github.com/aws-samples/simple-websockets-chat-app'. But the API not working trust. I get an error when i try to connect. Its message is "WebSocket connection to 'wss://b91xftxta9.execute-api.eu-west-1.amazonaws.com/dev' failed: Error during WebSocket handshake: Unexpected response code: 500"
My Connection Code
var ws= new WebSocket("wss://b91xftxta9.execute-api.eu-west-1.amazonaws.com/dev");
ws.onopen=function(d){
console.log(d);
}
Try adding $context.error.validationErrorString and $context.integrationErrorMessage to the logs for the stage.
I added a bunch of stuff to the Log Format section, like this:
{ "requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod",
"routeKey":"$context.routeKey", "status":"$context.status",
"protocol":"$context.protocol", "errorMessage":"$context.error.message",
"path":"$context.path",
"authorizerPrincipalId":"$context.authorizer.principalId",
"user":"$context.identity.user", "caller":"$context.identity.caller",
"validationErrorString":"$context.error.validationErrorString",
"errorResponseType":"$context.error.responseType",
"integrationErrorMessage":"$context.integrationErrorMessage",
"responseLength":"$context.responseLength" }
In early development this allowed me to see this type of error:
{
"requestId": "QDu0QiP3oANFPZv=",
"ip": "76.54.32.210",
"requestTime": "21/Jul/2020:21:37:31 +0000",
"httpMethod": "POST",
"routeKey": "$default",
"status": "500",
"protocol": "HTTP/1.1",
"integrationErrorMessage": "The IAM role configured on the integration
or API Gateway doesn't have permissions to call the integration.
Check the permissions and try again.",
"responseLength": "35"
}
try using wscat -c wss://b91xftxta9.execute-api.eu-west-1.amazonaws.com/dev in a terminal. This should allow you to connect it. If you don't have wscat installed, just do a npm install -g wscat
To get more details, enable logging for your API: Stages -> Logs/Tracing -> CloudWatch Settings -> Enable CloudWatch Logs. Then, send a connection request again and monitor your API logs in CloudWatch. In my case, I had the next error:
Execution failed due to configuration error: API Gateway does not have permission to assume the provided role {arn_of_my_role}
So, I added API Gateway to my role's Trust Relationships, as it's mentioned here and it fixed the problem.
Related
Im trying to execute a workflow from cloud tasks but getting immediately 401 error.
Here is the code to enqueue the task:
req := &taskspb.CreateTaskRequest{
Parent: fmt.Sprintf("projects/%v/locations/us-central1/queues/myqueue", projectID),
Task: &taskspb.Task{
PayloadType: &taskspb.Task_HttpRequest{
HttpRequest: &taskspb.HttpRequest{
HttpMethod: taskspb.HttpMethod_POST,
Url: fmt.Sprintf("https://workflowexecutions.googleapis.com/v1/projects/%v/locations/us-central1/workflows/myworkflow/executions", projectID),
Body: bodyJson,
AuthorizationHeader: &taskspb.HttpRequest_OidcToken{
OidcToken: &taskspb.OidcToken{
ServiceAccountEmail: serviceAccount,
},
},
},
},
},
}
_, err = client.CreateTask(ctx, req)
UNAUTHENTICATED 401 error:
The service account I'm using has the workflow invoker permission.
What am I missing here?
The "Unauthorized" error indicates that the service account you are utilizing lacks the authorizations required to access the Workflow Executions API. Do check the service account you're using has the proper permissions to access the Workflow Executions API. Make sure the service account is set up successfully and has the relevant authentication information. Create the service account with the "Compute Engine default service account" role, and then enable it.
I'm deploying my Django application (backend) to AWS via lambda, but each time I deploy and get the live link, I get the error below:
{
"message": "Endpoint request timed out"
}
I have configured the VPC. I have also set the "timeout_seconds": 900, which is the max time that AWS Lambda supports. But the error persists.
How can I resolve this, please?
I created a API gateway with websocket. And I added request/response integration to my lambda in $connect route. Then I deploy the API to staging and I can see there is a wss and https URL generated on staging page.
Then I am using wscat command to test the websocket connection:
wscat -c wss://xxxx.execute-api.ap-southeast-2.amazonaws.com/dev
But I get an error response: error: Unexpected server response: 500.
I don't have any authentication on the API. And I have checked my lambda log, it is not called. That means the request failed on API gateway. What could be the error in my API Gateway?
The lambda you're integrating the $connect route to needs permission to be invoked by apigateway.
Add the following permission:
Principal: apigateway.amazonaws.com
Effect: Allow
Action: lambda:InvokeFunction
Also enable Cloudwatch logs for API Gateway to get a better idea what's going on if it's failing before hitting your lambda.
Stages -> Logs/Tracing -> CloudWatch Settings -> Enable CloudWatch Logs
Im trying (in vain) to get a device shadow through appsync Http resolvers.
{
"version": "2018-05-29",
"method": "GET",
"resourcePath": "/things/${ctx.args.id}/shadow",
"params":{
"headers":
$utils.toJson($utils.http.copyHeaders($ctx.request.headers))
}
}
All im managing to get as a response is "Credential should be scoped to correct service"
I can see that the Authorization header for the call contains
"Credential = ---/---/eu-west-1/appsync/aws4_request"
When i call GET "deviceShadow" it as REST in my application today (which works) the same values are
"Credential = ---/---/eu-west-1/iotdata/aws4_request"
So it seams like appsync is being set as the service and that is messing up the call?
Any tips how to get this working?
I think you'll need to add a role and IAM signing configuration to the Data Source. Perform the following steps with the AWS CLI.
Attach an IAM role to the data source that grants the appropriate permissions to call the IoT Device Shadow operations. I think it's iot:GetThingShadow for this example.
Add an IAM configuration section to the AWS AppSync Data Source. This is NOT the resolver template.
{
"endpoint": "https://<iot-endpoint>",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-west-1",
"signingServiceName": "iot"
}
}
}
When AWS AppSync invokes your resolver, it will generate a SigV4 signature using the attached role and call the AWS IoT Device Shadow service. Try this out.
I am following below link for "Use Amazon S3 to Store a Single Amazon Elasticsearch Service Index"
https://aws.amazon.com/blogs/database/use-amazon-s3-to-store-a-single-amazon-elasticsearch-service-index/
When I am trying
curl -XPUT 'http://localhost:9200/_snapshot/snapshot-repository' -d'{
"type": "s3",
"settings": {
"bucket": "es-s3-repository",
"region": "us-west-2",
"role_arn": "arn:aws:iam::123456789012:role/es-s3-repository"
}
}'
with update bucket, region and role_arn, but I am getting below error
{"Message":"User: anonymous is not authorized to perform: iam:PassRole on resource: arn:aws:iam...}
To resolve this issue, I followed this link https://aws.amazon.com/premiumsupport/knowledge-center/anonymous-not-authorized-elasticsearch/ also. but still It is not working.
You need to sign your requests to AWS Elasticsearch. The blog post that you linked describes using a proxy server to create the signature, did you do that?
As an alternative to using such a proxy server with curl, you can make the requests from a program. In the AWS Elasticsearch docs give you an example in Python, with a link to a Java client.