I have two versions of an AWS Lambda function. I wanted to attach it to two stages of API Gateway, dev and prod.
I created two aliases, dev and prod, for the two versions of the Lambda function. I created a stage variable called fname and provided the values dev and prod against them in the appropriate stages.
Against the Lambda function to be called in the Resources section, I provided the function name as stageTester:${stageVariables.fname} where stageTester is the name of my function.
It prompted me to attach permissions using AWS CLI. I ran the following command:
aws lambda add-permission --function-name arn:aws:lambda:ap-south-1:xxxxxxx:function:stageTester:dev --source-arn 'arn:aws:execute-api:ap-south-1:zzzzzz:aaaaaa/*/GET/stageTester' --principal apigateway.amazonaws.com --statement-id cxbxcx9bx5-68df-4x9d-96xd-9exb497xa934 --action lambda:InvokeFunction --profile lambdaUser --region ap-south-1
...and a similar one for prod. I expected that this would attach the permissions appropriately.
I completed the deployment and tried to invoke the API. However, I encountered Internal Server Error every time. In the Lambda function screen, against the trigger, I see the following error
The API with ID aaaaaa does not include a resource with path /stageTester
having an integration
arn:aws:lambda:ap-south-1:xxxxxxx:function:stageTester:dev on the GET
method
Can someone help me with this issue?
Related
I am trying to follow this otherwise excellent post to deploy a Java-based AWS lambda app. I'm scripting it out as instructed in that post. I receive the following error when calling aws apigateway put-integration:
An error occurred (BadRequestException) when calling the
PutIntegration operation: Lambda function ARN must be in same account
I'm trying to script the creation of an API gateway to a lambda function. Here's the full deploy.sh script. I have on my local machine the requisite AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_ACCOUNT_ID environment variables.
I don't know enough to understand what that error is telling me. AFAIK, the access secret and id and account ID are all from the same IAM user.
My AWS CLI Script
aws apigateway put-integration --region ap-south-1 --rest-api-id xxttj6inea --resource-id bgncc0 --http-method GET --type AWS --integration-http-method POST --uri arn:aws:apigateway:ap-south-1:lambda:path/2019-09-20/functions/arn:arn:aws:lambda:ap-south-1:***********:function:Hello/invocations
Thank you very much in advance for any ideas/help.
This error can happen because of two reasons:
Your AWS CLI settings are incorrect. I'll implore you to check the AWS CLI configuration file, and run test API calls for the same to verify if everything is set up appropriately.
Your Lambda function belongs in one account, and your REST API in API GW belongs in another account.
I am new with the aws api and system in general and im currently working with three parts of aws;
Connect
Lambda
Lex
I am trying to get connect to call a lambda function with a simple parameter, but i am getting this error in cloudwatch;
cloudwatch
I tried a google search but it seems that everyone thinks it is IAM related, even though i have a role with the right permissions;
lambda role
and detailed;
enter image description here
it looks like the trigger is already there
Does anyone know why i can't get to invoke my lambda function? Permissions should be fine, i think...
Thank you
You need to configure a "Trigger Policy" which allows AWS Connect to invoke your AWS Lambda.
You can configure it through the AWS CLI:
aws lambda add-permission --function-name function:my-lambda-function --statement-id 1 \
--principal connect.amazonaws.com --action lambda:InvokeFunction --source-account 123456789012 \
--source-arn arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-06a0be38cccf \
This command uses the following input:
The name of the Lambda function (for example, my-lambda-function)
The ARN of a Amazon Connect instance (for example,
arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-example) - To find the ARN for your instance, open the Amazon Connect console,
and then choose the Instance Alias to open the Overview page.
The AWS account ID for the Lambda function (for example, 123456789012)
For more details please check the Documentation: Using AWS Lambda Functions with Amazon Connect
I'm preparing a new AWS API Gateway under few environments - production, staging, testing, development.
Let's say I have two lambda functions connected to the GET /first and GET /second. Those resources are pointing to the lambda first:${stageVariables.Qualifier} (this variable has proper environment value depending on stage).
Now I have to add permissions for API Gateway to invoke both functions. AWS says:
You defined your Lambda function as a stage variable. Please ensure that you have the appropriate Function Policy on all functions you will use. You can do this by running the below AWS CLI command for each function, replacing the stage variable in the function-name parameter with the necessary function name.
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:first:${stageVariables.Qualifier}
--source-arn arn:aws:execute-api:region:00000:xxxx/*/GET/first
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction
So it's clear - I have to invoke this above command 8 times for each configuration:
first:development
first:testing
....
second:production
Is it possible somehow to add a general permission to allow invocation of any function in any qualifier with any path?
I'm aiming something like that (but it doesn't work):
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:*:*
--source-arn arn:aws:execute-api:region:00000:xxxx/*/*/*
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction
I am creating a nodejs application and deploying it as a lambda function on AWS. I am following the link:
http://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example-create-iam-role.html
I am now stuck at step 2.2-2.3. Step 2.2 has the json with the policy that needs to be attached to the role. When I use the below command (step 2.3) to create the lambda function:
ws lambda create-function --region us-east-1 --function-name LambdaFunctionOverHttps --zip-file fileb://LambdaFunctionOverHttps.zip --role execution-role-arn --handler LambdaFunctionOverHttps.handler --runtime nodejs4.3
Then I get the below error:-
An error occurred (ValidationException) when calling the
CreateFunction operation: 1 validation error detected: Value
'execution-role-arn' at 'role' failed to satisfy constraint: Member
must satisfy regular expression pattern:
arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.#-_/]+
I even created the file "execution-role-arn" which had the json from Step 2.2. How can I resolve this error and create the lambda function?
I faced the same error, turns out you have to specify the Role ARN, not the Role name. So instead of --role roleName , put --role arn:aws:iam::1234567891:role/service-role/roleName . You can find you role ARN by clicking on the role name in Roles tab, and then at the top you'll find the role ARN.
AWS really needs to fix their documentation for almost all of their services.
Update: The role needs to be replaced with the actual arn role name for the lambda function instead of a separate file. This can be found on the role you just created in step 2.2. So, the proper way to do this is as follows:
aws lambda create-function
--region us-east-1
--function-name LambdaFunctionOverHttps
--zip-file fileb://LambdaFunctionOverHttps.zip
--role arn:aws:iam::9999999999999:role/lambda-gateway-execution-role
--handler LambdaFunctionOverHttps.handler
--runtime nodejs4.3
This worked out fine and the lambda function got created. Note that I had pointed the default profile to admin with the aws config command.
You defined your Lambda function as a stage variable; you must
manually give permissions to all the functions you will use. You can
do this by running the below AWS CLI command for each function,
replacing the stage variable in the function-name parameter with the
necessary function name.
aws lambda add-permission --function-name arn:aws:lambda:eu-west-1:12345:function:test${stageVariables.functionAlias} --source-arn arn:aws:execute-api:eu-west-1:12345:dsad667asd/*/GET/test/test --principal apigateway.amazonaws.com --statement-id d5a14508-22bb-4413-87c9-d9715e36435d --action lambda:InvokeFunction
Getting this message and suggestion to run this command , unfortunately it does not work here throwing
zsh: bad substitution
with or without zsh, what I am looking is a way to do this manualy (using aws interface)
thanks!
Did you leave the "${stageVariables.functionAlias}" in your command? The --function-name parameter of this command needs to a valid fully-qualified or partial lambda function ARN following the pattern of:
(arn:aws:lambda:[region]:[account-id]:function:)[function-name](:[function-alias])
Where region, account-id, function-name and function-alias are substituted as appropriate.
If your function is in the same account and region as the user issuing the command, and you simply want to refer to the $LATEST function version, specifying just the function name would be perfectly valid and save a few keystrokes:
aws lambda add-permission --function-name test --source-arn arn:aws:execute-api:eu-west-1:12345:dsad667asd/*/GET/test/test --principal apigateway.amazonaws.com --statement-id d5a14508-22bb-4413-87c9-d9715e36435d --action lambda:InvokeFunction
See this document on usage of the aws lambda add-permission CLI command: http://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html
You need to replace ${stageVariables.functionAlias} to your own lambda function name from the command.
Also, make sure AWS environment variables setup correct in your bash.
It works for me.
What I did to figure this out, is I created the versions I needed, created aliases to each version. In my case I had Production pointing to Version 1, and Development pointing to $LATEST.
On the AWS CLI I changed the ${stageVariables.functionAlias} to the name of the alias, and performed that command for each alias.
I also referenced Using API Gateway Stage Variables. You can also look at the logs in CloudWatch for your endpoint and see which version/alias was called.
Hope this helps.
When a new function or new function alias is created, a permission must be added to enable the access to the API gateway. The way I do this is during the integration request, I enter the lambda function stage variable like:
${stageVariables.myFunctionName}
I run the command (shown by the console) on the CLI and replace the above variable with this format:
myFunctionName:myAliasName
Notice that if an alias was created, add the alias name after the function name separated by a single ":" colon
Note: You can get the function and alias name from the Lammda>functions > Qualifiers options.
I hope this helps.
As of September 2022, I just followed the steps from this post and I can access the env variables through event.stageVariables in the lambda function. No need for any aws-cli manual configuration