How to Invoke AWS step function using API gateway? - amazon-web-services

According to Amazon's documentation, step function can be invoked using HTTP API.
Step Functions can be accessed and used with the Step Functions
console, the AWS SDKs, or an HTTP API.
I tried to search the detailed information, but can't seem to find any good ones. Does anyone know how to invoke AWS step function using API gateway, similar to the way it invokes Lambda functions?

If you need to call StepFunction from API Gateway, it's now possible and described well in docs: https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-api-gateway.html
For Integration Type, choose AWS Service
For AWS Service, choose Step Functions from the list
For HTTP Method, choose POST from the list
For Action Type, choose Use action name
For Action, type StartExecution
For Execution Role, type ARN of role with API Gateway trusted identity provider and attached policy AWSStepFunctionsFullAccess

This is not the "official" AWS way -- see Erndob's answer for that.
The problem with the AWS way (sign each request with AWS credentials) is that most enterprises already have mature methods in place to manage authentication and authorization via their API gateways and (speaking as an enterpise architect) do not want to deal with the headache of duplicating this at the AWS-credential-level.
I'm sure that AWS will eventually integrate Step Functions with API Gateway but as of this writing (1/17) this is probably the simplest way to get the job done. Below is a trivial Lambda proxy function I wrote to leverage the SDK's ability to sign the requests:
'use strict';
const AWS = require('aws-sdk');
const stepfunctions = new AWS.StepFunctions();
exports.handler = (event, context, callback) => {
if(!event && event.action)
callback("Error: 'action' is required.");
if(!event && event.params)
callback("Error: 'params' is required.");
stepfunctions[event.action](event.params, function (err, data) {
if (err)
console.log(err, err.stack);
callback(err, data);
});
};
You will need to grant your Lambda privs to interact with your Step Functions. To give it full access to all operations create a new role and attach the following policies:
AWSLambdaBasicExecutionRole
AWSStepFunctionsFullAccess
Now configure the Lambda to be invoked via API gateway as normal, passing in an event with two properties:
action (the Step Functions method name, like "startExecution")
params (the params needed for that method. Ref here: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/StepFunctions.html)
And be sure to lock your API down! :-)

It's using HTTP API, not API Gateway.
Step function endpoints follow this format:
https://states.${region}.amazonaws.com
for example:
https://states.us-east-1.amazonaws.com
And you use HTTP API (again, not API gateway) to make actions on your states.
More about HTTP API here:
http://docs.aws.amazon.com/step-functions/latest/apireference/Welcome.html
Technically you could use API gateway, to redirect to step functions API but there's not much point in that.

I recently posted an example code that make it work using CloudFormation and OpenApi on https://stackoverflow.com/a/59326771/6697093.

Related

Create an api in api gateway to invoke a lambda function

I am working on a project and trying to use API Gateway to invoke a lambda function. The lambda function is used to update a DynamoDB item. The DynamoDB table is used to keep a running count of visitors to a web page. I need to create an API to invoke the lambda function but I'm not sure how to create the API. Any assistance is appreciated.
General steps would be:
Create AWS_PROXY integration between API Gateway and your Lambda function. The example of this is in the AWS tutorials: Set up Lambda proxy integrations in API Gatewa and in Tutorial: Build a REST API with HTTP proxy integration
Add/amend execution role to your function allowing it to access DynamoDB. This is exemplified in the AWS tutorial: Using AWS Lambda with Amazon DynamoDB.
Test the API. It can be done directly in API gateway console, or using external tools such as curl or Postman.
I figured out my issue. In my lamdba function, I needed to change the output to a JSON object. Once I made the change, I was able to get my API working. Here is a link to the fix.

Can I call AWS Lambda directly without Gateway API?

I am developing a simple Lambda function on AWS to get and put data into Dynamo DB. I wanted to call this function from the Windows Client desktop application. My question is, do I really need AWS Gateway API here or can I call the lambda function directly using AWS SDK?
You can use invoke() to directly execute an AWS Lambda function from an AWS SDK. You can also pass it a payload, which will be accessible within the function.
Here is a syntax example in Python:
response = client.invoke(
ClientContext='MyApp',
FunctionName='MyFunction',
InvocationType='Event',
LogType='Tail',
Payload='fileb://file-path/input.json',
Qualifier='1',
)
You need API Gateway if you want to create REST APIs that mobile and web applications can use to call publicly available AWS services (through code running in AWS Lambda).
You can synchronous invoke your Lambda functions. This can be accomplished through a variety of options, including using the CLI or any of the supported SDKs. Note the invocation-type should be RequestResponse aws blog
bash command using aws cli
aws lambda invoke —function-name MyLambdaFunction —invocation-type RequestResponse —payload “JSON string here”
sdk python call. configuration
invoke_resp = LAMBDA_CLIENT.invoke(
FunctionName='function_name',
InvocationType='RequestResponse',
Payload='payload')
If you want to invoke the lambda asynchronous Invocation-type flag should be Event
aws lambda invoke —function-name MyLambdaFunction —invocation-type Event —payload “JSON string here”
I don't have much information from your use case. I have to assume something here.
You don't need to wait for the response back from Lambda
So you can use async call through SNS or SQS and then put your Lambda subscribed for either SNS or SQS. You can research more to choose between SNS and SQS, depends on your use case
If you need to wait for the response back from Lambda
If you want to share the Lambda's feature outside your organization, you can use API Gateway to do so, it means you still keep Lambda inside but expose an API through API Gateway to outside for usage.
If you don't want to share the Lambda's feature outside, like previous answers, you can use invoke command/sdk to achieve the result.
If I have more information from your use case, maybe the answer can be more accurate.

how does serverless invoke in aws

I am new to this whole serverless framework. I created my first serverless function as documented here https://www.npmjs.com/package/serverless#quick-start. Next when I do a "serverless invoke" it works. I am confused how this works, the questions I have around this are
There does not seem to be an API gateway created so how can it invoke?
There are also stages mentioned in the serverless.yml file, I'm not sure what these translate to
Any help on this is highly appreciated.
First of all the default code comes with the AWS template, is only having a Lambda function declared. Let me try to answer your questions inline.
There does not seem to be an API gateway created so how can it invoke?
Yes, since there is no API Gateway created, its not possible to invoke the Lambda through URLs. However, it is possible to invoke the Lambda using AWS CLI or SDKs which is what Serverless Framework is providing with "serverless invoke". To create a API Gateway, you need to add an event object to the function code as shown below.
functions:
hello:
handler: handler.hello
events:
- http:
method: get
path: hello
There are also stages mentioned in the serverless.yml file, I'm not
sure what these translate to
When you define a stage in serverless.yml file, after the deployment, it creates a stage in API Gateway including it in the API Gateway URL path as shown below.
https://your-api/<stage-you-defined>/resurce-methods
Note: that if you setup a custom certificate for API Gateway, then you have option to setup your own custom paths.
Also its important to note that, although API Gateway supported this feature to have different stages(e.g test, staging, production) of a Single API Gateway deployment, latest Serverless Framework doesn't use this feature. Instead when you define a new stages, it will deploy a whole new API Gateway with the new stage. Serverless Framework has the argument for separating the API Gateway and having a single stage to self-contain each stage for isolation.
You can attach an API gateway for invoking your lambda
Or
You can get event driven. Where your lambda gets invoked in response to some events like a new message in AWS SNS or when a new object gets created in S3
Or
You can have scheduled invocations using cloudwatch trigger events
For a comprehensive list of events that can invoke lambda see Invoking Lambda Functions
As documented in AWS Regions and Endpoints there are HTTPS endpoints for Lambda. For example, in the us-east-1 region the endpoint is https://lambda.us-east-1.amazonaws.com. This is how you're able to call a Lambda directly without the API gateway. API gateway can add additional functionality and puts a full HTTP protocol on top of a Lambda.

Amazon API Gateway using Lambda gives permission error with POST method

I have been putting together and deploying Lambda functions using Apex and the functions, where I have been using GET method through AWS API Gateway are working fine.
I now need to create an API to call into a Lambda function using POST and pass in a JSON object. To get the basics of POST working I created a simple Lambda function that just does the following
console.log("!!!!!!! Received request");
callback(null, {data: "Success"});
return;
When I call this Lambda function using a GET method from API Gateway and test the API, it works fine - the API Gateway Test mechanism gives the "success" message while "Received Request" is logged in a successful call in CloudWatch.
However when I use the POST request to call the same Lambda function from API Gateway I get the following
"message": "Internal server error"
And I also see "Execution failed due to configuration error: Invalid permissions on Lambda function"
So what I am wondering is whether the role by which Lambda functions are called require any additional privileges when that function is invoked through a POST method. If so what is that privilege that I need to assign to the role being used?
Thanks,
Sanjay.
If you want to call POST method through API gateway level, that post method you have to deploy. Go to AWS API Gateway console. then select your POST API name and on the top of the grid (screen) you will find a drop down called Actions, there one option called deploy. That you have to select then only your POST API will work.
API Gateway needs permissions to invoke your Lambda function. It prompts you to add the permission automatically if you configure your API via the web console, and the Lambda function is not specified with a stage variable.
So if you're using a tool like CloudFormation or Swagger import to create or update your APIs, or the Lambda function is specified with a stage variable, you'll need issue a aws lambda add-permission command manually to set the permission.
See these posts for more details:
Lambda function -> Api Gateway stage variable permission manually
AWS API Gatewat with proxy Lambda: Invalid permissions on Lambda function

Passing context / authorisation with cloudfront to lambda

This is bit tricky situation I got into here,
I set up a lambda function & API gateway, then I setup cloudfront over API gateway for faster processing and achieving benefit of all the endpoint nodes provided by AWS [It should take more time using cloudfront on top of API gateway service but I am getting better result with cloudfront layer on top of it, maybe DNS resolution and AWS internal infrastructure is better]
I setup a JAVA function inside lambda which is working perfectly fine, but I want to use Context of request maker in lambda function
public String handleRequest(UserPOJO input, Context context) {
}
If I make direct lambda function request I can achieve that but it's taking too much time executing direct lambda from my Android client, also I don't find it good to expose those details, and with cloudfront I am not sure what headers should I send so that lambda detects it's cognito role and ID using context.getIdentity().getIdentityId(); in lambda.
If someone understands my problem here and elaborate it better for other I will be glad, it is very complex to explain the problem.
Technically
I can make execution of lambda function directly with cognito credential provider authentication but Very slow
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
Thanks. :)
If you want to get Cognito related information in Lambda function and you are proxying your request from API Gateway, You can use the mapping template to include information you need, then you can get it from the input object.
I can make execution of lambda function directly with cognito credential provider authentication but Very slow.
I recommend you to build your Lambda function in python or javascript runtime.
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
API Gateway cannot improve the performance of your Lambda function, but API Gateway can provide API management feature for your Lambda function.
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
CloudFront doesn't have do anything with your Cognito credential. It just passes everything it gets to API Gateway.
I am not sure how adding a CloudFront distribution in front of API Gateway can make the latency better except you enable the edge side cache which is not calling your Lambda function every time.