In AWS API Gateway I am trying to deploy API to new stage, and im getting error "An unknown error occurred". I am assuming it most likely because of permission. But i have API Gateway administrator permissions.
How do find out exactly which permissions are missing? Does aws api gateway logs any deployment related events? Where do i find whats going on.
Answering your question of Api Gateway deployment events, below are typical steps I do on what's happening.
Any operation you perform on Console or SDK is essentially calling AWS APIs.
For Console failures, you can always check on client side by going to Developer Tools provided by browsers. Typically F12 key --> Network tab, replicate the issue and see which AWS Endpoint gave error or go to Console tab and see any JavaScript errors logged.
If I am still not able to determine the cause, I enable CloudTrail logs and see which user and which API call gave any error responses for which operation. CloudTrail Guide to ApiGateway.
If there is specific role or policy issue having issue, I use Policy Simulator to test policies for the role once permissions are added.
Related
I am trying to debug a pipeline failing one of its action with an error 403.
I am reaching cloud trail to find more detail about the action, but I can not find the event linked to the request. When I search in cloud trail for the request id, it gives me nothing.
I am in only one region and only one account.
I believe all action are supposed to be log into cloud trail, specially the one with error, am I wrong?
Do I need to configure some service to actually turn on event sent to cloud trail?
Am I missing something?
CloudTrail is not a tool used for troubleshooting. Essentially it's an auditing tool that records changes to resources in your AWS accounts.
What is your pipeline built on? If it's on CodePipeline, you should be able to view the details on the console, and you can configure to send the pipeline logs to CloudWatch. Additionally, CloudTrail should record the API calls made by CodePipeline as well, although it may not be detailed enough to actually troubleshoot an error - https://docs.aws.amazon.com/codepipeline/latest/userguide/monitoring-cloudtrail-logs.html
I'm trying to create AWS, API, however, I got the following error Network Failure after pressing create button. What might be an issue? Thanks in advance.enter image description here
I have created a React Application to upload a file to the S3 bucket. To do this, I have created a PUT API from the AWS API Gateway and the API is working well in the POSTMAN. The problem is, when I call the API from my React Application locally (http://localhost:3000), I'm getting a CORS error from the PUT request and a 403 error from the OPTIONS request (Preflight). How can I solve this?
Here is the bucket policy
Here is the Bucket CORS Policy
Here are the Enable CORS settings of the API in the API Gateway
The Output
Your bucket policy does not allow putObject method. CORS can be seen when some unrelated errors happen. I encourage you to enable INFO logging for API Gateway and check what exactly happens. Share the logs and it will be easier to tell.
To enable INFO logging for API Gateway, go to API -> Settings -> add CloudWatch log role ARN which would have permission to write into cloudwatch logs. Then enable full INFO logs. You will find logs inside CloudWatch logs
I have a service to service set up that I completed using the google cloud tutorial (https://cloud.google.com/run/docs/authenticating/service-to-service#nodejs)
Changed the cloudrun Service account to have roles/run.invoker (they both share the same role)
Make a request to get the access token: http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://XXXX-XXXX-XXXX-xx.a.run.app'
(failing) Use that access token to make a request at https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint with the access token: axios.post('https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint', {myData}, {headers: {Authorization: 'Bearer eyJhbGciOiJSUz.....'}})
However, on step 3, making the call to my service, I receive a 403 error, any thoughts on what I missed?
Note: I have tried deploying my invoked service with --allow-unauthenticated and without it. I am not using a custom domain, I am using the CloudRun created url.
PS: If I change the ingress from internal and load balancer to all it works, however I'm not sure if this is correct to do.
The HTTP 403 Forbidden error message when accessing your Cloud Run service means that your client is not authorized to invoke this service.
You have not granted the service account permission to call the receiving service. Your question states that you added roles/run.invoker but the error message indicates you did not complete this step correctly.
Go to the Google Cloud Console.
Select the receiving service (this is the Cloud Run service you are calling).
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, enter the identity of the calling service.
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Note: When requesting the Identity Token, do not specify the custom domain. Your question's wording is confusing on that point.
[UPDATE]
The OP has enabled internal and load balancer. This requires setting up Serverless VPC Access.
Connecting to a VPC network
Solution was to add a VPC Connector and route all traffic through it. I added this to the deploy script --vpc-egress all-traffic. Originally I had --vpc-egress private-ranges-only to connect to redis MemoryStore, however this was insufficient to connect to my other service (internal only ingress).
Credit to excellent insight from #JohnHanley and #GuillaumeBlaquiere
Interesting Note About NodeJS: My container wouldn't start when I switched the --vpc-egress to all-traffic, and I had no idea why because there were no logs. It turns out running node v16.2 caused some weird issues with --vpc-egress all-traffic that I couldn't debug, so downgrading to 14.7 allowed the container to start.
I have an Android application that uses the AWS Cognito API to sign up users.
Sometimes, the sign up process can fail (for example, if user enters a invalid password). In this case, a error message will be launched on the application.
But, eventually, I can't access the user to understand the error causes. So, I'm asking if there is a way to check failed sign up requests in some service panel provided by AWS Console. I tried CloudTrail, but it don't appear to have any register about those requests. Also, there is no trigger like "pos-signup" from where I can retrieve the return status from a Cognito operation (even, I have a pre-signup trigger that executes with no errors).
Can anyone help me with this issue? Thanks in advance!