I'm trying to find a complete list of policies that can be added to the sam's template but I can't find any information either on amazon's official documentation nor by googling for it.
I'm in the process of converting a lambda application to sam and it requires a lot of polices so I need a list of what policies exist and what they are named. So what are the possible policies you can put on a sam application?
My template:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
AWS Serverless Application
Sample SAM Template for AWS Serverless Application
Globals:
Function:
Timeout: 20
Runtime: java8
Resources:
example:
Type: AWS::Serverless::Function
Properties:
CodeUri: target/aws-lambda.zip
Handler: com.example.ExampleRequestHandler::handleRequest
Events:
example:
Type: Api
Properties:
Path: /example
Method: post
Policies: # <- This field
- AmazonDynamoDBFullAccess
all_aws_managed_policies.json
A list of all AWS managed policies and they're [sic] policy documents as well as a short script to generate the list.
I [wrote] this code so that I could easily see the details of the managed policies since AWS doesn't publish them.
Related
In my SAM templates, my team has defined an API that is mostly to our liking. I would like to debug this API locally, but it isn't set explicitly as an Event under our Function. So sam local start-api fails with the error
Error: Template does not have any APIs connected to Lambda functions
How can I convince SAM that the API we have defined is the event meant to invoke this Lambda? What should I do to test this locally?
edit - to clarify, the current template structure looks something like
Lambda:
Type: AWS::Serverless::Function
Properties:
...
LambdaRole:
....
MAILAPI:
Type: AWS::Serverless::Api
Properties:
...
Not sure if this implements all the gateway params we defined so I wont mark this as resolved yet, but this is a promising start!
This allowed me to start the API as expected locally
Events:
Api:
Type: Api
Properties:
Path: /
Method: post
RestApiId:
Ref: MAILAPI
With (of course) our API resource defined under the MAILAPI label (edited question to show this)
As part of a AWS SAM template, I have a function with an HttpPost event trigger. Because I'm using the AWS SAM transform, I am not explicitly declaring the API Gateway that gets created to route this http post to trigger the function. Given that, is there any way to reference the generated URL endpoint, such as in a stack output or describe-stack-resources, so that I can programatically get the invocation URL for the function? I know I can get the endpoint by navigating to the stack in the console, finding the ApiGateway resource, and clicking around randomly until one of the pages shows it. But I'd like a method that my application code can reproduce.
Shortened template for reference:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
SendJobUpdateFunction:
Type: AWS::Serverless::Function
Properties:
...
Runtime: nodejs10.x
Events:
HttpPost:
Type: Api
Properties:
Path: '/jobs'
Method: post
...
I'm currently deploying using the sam CLI, which has I think a very similar syntax to aws cloudformtion.
According to the documentation and this previous question, you can get it with:
!Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/${Stage}"
Where ${Stage} is your own parameter containing the deployed stage.
I wanted to make a lambda available at dev-api.example.com/auth/*.
The lambda will act like an auth service. So it will have urls like
dev-api.example.com/auth/register
dev-api.example.com/auth/login
and more ...
Like wise more lambdas will be hooked to single ApiGateway.
With that design decision, I wrote following serverless.yml file.
// serverless.yml
...
custom:
customDomain:
domainName: dev-api.example.com
stage: prod
basePath: ''
...
functions:
auth:
handler: src/index.handler
events:
- http:
method: ANY
path: /{auth+}
It does not seem to work. Whenever I visit dev-api.example.com/auth/register it returns Not Found error.
AWS API Gateway only accepts {proxy+} syntax (Link), then I think serverless fw just support {proxy+} and {any+}.
If you want to just create a function to handle 2 api endpoint, in this case, the endpoints are
POST /auth/register (I think so)
POST /auth/login
Then you have setting in serverless.yml like
...
functions:
auth:
handler: src/index.handler
events:
- http:
method: ANY
path: auth/{any+} # this matches any path, the token 'any' doesn't mean anything special
...
Thanks #hoangdv , your suggestion almost fixed the problem.
The issue was with path. It should have been path: auth/{proxy+} instead of path: /{auth+}
functions:
auth:
handler: src/index.handler
events:
- http:
method: ANY
path: auth/{proxy+}
Lambda now supports adding SNS topics (among other things) as destinations. This can be set up via the UI.
But I can't get it to work. I have a simple Lambda that returns a JSON that I want it to push to an SNS topic. I open the Lambda's destination and in the destination pasted the topic. This resulted in "Invalid input".
To get the destination to recognize the topic ARN, I first gave the Lambda SNS Full Access and then also added my Lambda role to the SNS topic Access policy.
"Resource": [topic arn],
"Condition": {
"StringEquals": {
"AWS:SourceOwner": [topic owner],
"Role": [Lambda role arn] <---single added line
}
}
No more "Invalid input"!
Unfortunately, when I return to Lambda and go through the Destination flow again, I now get
The provided destination config
DestinationConfig(onSuccess=OnSuccess(destination=[topic arn]),
onFailure=null) is invalid.
But one can only define Success or Failure (radio buttons), not both. So presumably I mucked up permissions somewhere and the Lambda actually can't publish still.
What permissions do I need to grant the Lambda role, and how do I need to update the Topic access to make this work?
Edit: VPCs
I failed to mention my Lambda sits on a VPC. Because I'm calling an external database and need a whitelisted IP, I'm using a VPC/NAT setup to keep a stable IP.
I'm not sure if this effects my situation, but from my rudimentary understanding of VPCs, I'm guessing this limits what the Lambda can directly interact with.
Taking a look around, the Asynchronous Invocation docs have a section on Lambda destinations. That section seems to indicate that the only permission you need is to give is sns:Publish to your Lambda. Can you confirm that it does in fact receive publish permissions?
If that's not the issue, I would try taking their Cloudformation template (quoted below - from your link above) and comparing it to the Cloudformation being generated in your account when you do setup via the console.
Resources:
EventInvokeConfig:
Type: AWS::Lambda::EventInvokeConfig
Properties:
FunctionName: “YourLambdaFunctionWithEventInvokeConfig”
Qualifier: "$LATEST"
MaximumEventAgeInSeconds: 600
MaximumRetryAttempts: 0
DestinationConfig:
OnSuccess:
Destination: “arn:aws:sns:us-east-1:123456789012:YourSNSTopicOnSuccess”
OnFailure:
Destination: “arn:aws:lambda:us-east-1:123456789012:function:YourLambdaFunctionOnFailure”
Note that from the docs, it looks like you can define OnSuccess and OnFailure sequentially in the console, by going through the process twice. I wouldn't quite put it past them to have e.g. an implicit requirement that both OnSuccess and OnFailure be provided.
Maybe different to your case, but I found out the reason I was getting this error was simply because the SNS was in a different region to the lambda. Ensuring it was the same region worked as per below example. Wish the error was clearer here!
service: errorhandlingdemo
frameworkVersion: '2'
configValidationMode: error
plugins:
- serverless-dotenv-plugin
provider:
name: aws
runtime: python3.7
lambdaHashingVersion: 20201221
profile: ${opt:profile, env:PROFILE}
stage: ${opt:stage, env:STAGE}
timeout: 5 # seconds, which is 5 seconds
iamRoleStatements:
- Effect: "Allow"
Action:
- sns:*
Resource:
- arn:aws:sns:us-east-1:540160934250:genesis-alerts
functions:
helloworld:
handler: handler.hello
destinations:
onFailure: helloFailure
helloFailure:
handler: failure_handler.handler
destinations:
onFailure: arn:aws:sns:us-east-1:540160934250:genesis-alerts
onSuccess: arn:aws:sns:us-east-1:540160934250:genesis-alerts
custom:
dotenv:
basePath: ./env/
logging: true
I would like to enable caching for API Gateway for my serverless functions, but having hard time to understand where to do it and what way.
I have tried to set up queryStringParameters in my serverless functions but that results in error, also tried to add them under my GLOBAL Api but no luck (also would prefer avoid doing this in global)
Also checked my resources in the API Gateway and caching is disabled for RequestParams and QueryStringParams are missing from there.
As a reference:
https://awslabs.github.io/serverless-application-model/internals/generated_resources.html
As a reference:
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessapi
As a reference:
https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Template
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Globals:
Api:
EndpointConfiguration: REGIONAL
CacheClusterEnabled: true
CacheClusterSize: "0.5"
MethodSettings:
- CachingEnabled: true
CacheDataEncrypted: true
CacheTtlInSeconds: 60
HttpMethod: "*"
ResourcePath: "/*"
Resources:
......
GetItem:
Type: 'AWS::Serverless::Function'
Properties:
Handler: GetItem.handler
Runtime: nodejs8.10
Timeout: 20
CodeUri: "codes"
Events:
GetItem:
Type: Api
Properties:
Path: /item/{itemCode}
Method: get
......
***********************************EDIT*********************************
Found out if API Gateway does not know about the params then it will ignore it for caching https://forums.aws.amazon.com/thread.jspa?messageID=915838󟥾
I have tried to add multiple methodSetting entries to the template, and it seems the CF dont ignore it, but still the same result. Also im not sure how to do the same for queryStringParameters if possible.
- ResourcePath: "/~1item~1/~1{itemCode}"
CachingEnabled: true
CacheDataEncrypted: true
CacheTtlInSeconds: 60
HttpMethod: "*"
***********************************EDIT*********************************
I would prefer a way to enable the caching for the RequestParams and QueryParams under every resource aka 'AWS::Serverless::Function'
Your help is much appreciated.
At this point there is no support from SAM framework to do this. They are planning to release an update where they enable the function more on this link: https://github.com/awslabs/serverless-application-model/issues/1140
Until then the only solution i was able to come up os to create a CloudFront distribution in front of the API gateway, its kind of waste of resource but it works nicely.