Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 01 2016 23:48
    @gojko banned @codepreneur
Gojko Adzic
@gojko
@Chardine web sockets are not supported at the moment
Primož Verdnik
@drye
@gojko when using claudiajs with aws-serverless-express - would it be still possible to use API gateway's Usage Plans for per-endpoint throttling? I assume not, since API gateway is just serving as a proxy?
Chant Long
@chantlong_twitter

@gojko

@chantlong_twitter we added something in 5.6 that lets people use STS tokens and assumed roles, but that picks up AWS_ROLE_ARN from the environment and thinks that you want to use STS if it is defined

Sorry for the late reply. I just happened to have AWS_ROLE_ARN in my bash profile which is used in my other repos not related to the claudia repo. I could change the env name so I can use 5.6 Thanks. I use AWS_ROLE_ARN for other parts of the aws-sdk methods like IAM methods

Subbu
@subbu-everest

Greetings!

How to update the security-group and subnets attached to the Lambda function.

I can attach security-group and subnets while creating the function using --security-group-ids and --subnet-ids flags respectively.

How to update them?

Gojko Adzic
@gojko
@subbu-everest use the aws CLI tools for that. In general, claudia does not re-implement aws cli commands where it can't provide additional value. check out https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-configuration.html - if you used an alias when creating the function, you may also need to republish the alias after updating the VPC configuration for it to take effect. you can do that with claudia set-version --version <ALIAS>
Subbu
@subbu-everest
That makes sense. Thank you @gojko
John de Freitas
@Hunger_Artist_twitter

Hello. Trying to deploy a lambda to an AWS gov cloud region, not having much luck.
aws sts get-caller-identity --profile gov returns the right account (gov is the profile I have setup locally).
When I run claudia create --region us-gov-west-1 --name myLambdaName --runtime nodejs8.10 --handle mymodule.myhander --profile gov, I get InvalidClientTokenId: The security token included in the request is invalid..

It looks like though the request to create the IAM role is sent to https://iam.amazonaws.com, instead of iam.us-gov.amazonaws.com (see https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html). I also suspect the region used in the request is us-east-1.

Version info: claudia --version returns 5.4.0

John de Freitas
@Hunger_Artist_twitter

And though I'm already passing --region us-gov-west-1, if I also export AWS_REGION=us-gov-west-1, I get a bit further. The IAM role is created, though no permissions are added to it.

The error is MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:*:*:*"..
This is usually the case when an arn in a Gov Cloud region begins with arn:aws:... and not arn:aws-us-gov:...

John de Freitas
@Hunger_Artist_twitter
As it turns out, json-templates/log-writer.json hard-codes the "Resource": "arn:aws:logs:*:*:*" line. Once I changed that to "Resource": "arn:aws-us-gov:logs:*:*:*", everything worked. So perhaps there can be some logic to toggle between different resources, depending on the region. As well as the strange behavior where --region passed on the command line is insufficient, and the AWS_REGION envvar is required.
And although I haven't tested it, I expect a similar issue will affect the two AWS China regions, which use the aws-cn arn partition.
Gojko Adzic
@gojko
@Hunger_Artist_twitter thanks for such a detailed troubleshooting log. I guess this is the first time anyone tried to use claudia for the isolated gov region :) I’ll check if we’re hard-coding it anywhere else
Gojko Adzic
@gojko
@Hunger_Artist_twitter I've created an issue on github to track progress for this claudiajs/claudia#201
red-made
@red-made
I've a strange problem, I have a backend in aws lambda based on claudia.js api builder.. I've discovered a strange thing, when I register as a new user and the scripts is rejected the lambda retrieve error and stop the execution and in DB no new user is created. But when I fix the data and resubmit the registration on db I see two new user, one with the correct data and one with the previous wrong data, seems that a new lambda execution start from the end of the previous after the reject. Here some example code: https://pastebin.com/PwpzLArs
John de Freitas
@Hunger_Artist_twitter
Thanks @gojko . I'm also happy to help out and test potential patches/fixes.
Gojko Adzic
@gojko
@red-made make sure you are not caching something across requests in the global context. Lambda is not stateless, and it can decide to reuse a container across requests. So if you have some kind of prepared request in the global context, and it gets created once but then appended during request processing, it will try to submit the data from the cached thing as well
@Hunger_Artist_twitter thanks. I’ll definitely need help testing because I can’t really reproduce the error (no government account)
Gojko Adzic
@gojko
@Hunger_Artist_twitter looking at the gov regions now, there also seems to be some difference between FIPS and non FIPS endpoints. Is this important to you, should you be able to select between the two or do we always go for the FIPS version?
also, I'm trying to find a reliable way to identify the partition - when you run aws sts get-caller-identity, does it include the gov partition in the ARN result, or does it include the aws partition?
NeverMinD
@xenowing
hi
raedwa01
@raedwa01
I'm having a slight problem. I have data in a mariadb and am able to get my lambda to query it just fine. The problem is that I cannot seem to get the results to return back in the response.
I went ahead and created a separate express file and added a require for the handler i created. I had to create the following code to get a response to work in express
app.get('/myproc', async (req, res) => { let tmp = await myhandler.myfunction(); res.status(200).send(tmp); })
raedwa01
@raedwa01
In the api.js for my lambda, i used api.get('/myproc', async () => { return await myhandler.myfunction() } )
I know the connection is connecting to the database, I write the results to the console in the middle of the query execution. The results never show on the webpage when I run it though.
Ravi
@ivar891_gitlab
@raedwa01 can you just send the result using return and see if it helps
John de Freitas
@Hunger_Artist_twitter
@gojko : The output of aws sts get-caller-identity includes the gov partition in the ARN:
{
    "UserId": "AI....",
    "Account": ".....",
    "Arn": "arn:aws-us-gov:iam::<the account number>:user/<user name>"
}
You bring up a good point with the FIPS vs non-FIPS endpoints. If it simplifies things, many of the common/relevant services only have one or the other (S3 and Lambda are notable exceptions). I think I would default to the FIPS endpoint, since it should only affect the TLS session between the client and AWS endpoint (so, the set of cipher suites is strict, and the modules used to implement those endpoints are validated).
Gojko Adzic
@gojko

@Hunger_Artist_twitter I got it almost done... can you please check just one more thing for me. Do you have access to this policy:

aws iam get-policy --policy-arn 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole'

if not, if there an equivalent policy in your partition?

John de Freitas
@Hunger_Artist_twitter

@gojko This is pretty interesting. Running the command aws iam get-policy --policy-arn 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole' returns:

{
    "Policy": {
        "PolicyName": "AWSLambdaKinesisExecutionRole",
        "PolicyId": "AN...",
        "Arn": "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole",
        "Path": "/service-role/",
        "DefaultVersionId": "v2",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "Description": "Provides list and ead access to Kinesis streams and write permissions to CloudWatch logs.",
        "CreateDate": "2017-05-08T18:26:34Z",
        "UpdateDate": "2018-11-19T20:09:32Z"
    }
}

Running the above with --debug outputs the following request line:

2019-08-28 00:36:43,518 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetPolicy) (verify_ssl=True) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.14.44 Python/3.6.8 Linux/4.15.0-1044-aws botocore/1.8.48'}, 'body': {'Action': 'GetPolicy', 'Version': '2010-05-08', 'PolicyArn': 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole'}, 'url': 'https://iam.us-gov.amazonaws.com/', 'context': {'client_region': 'aws-us-gov-global', 'client_config': <botocore.config.Config object at 0x7f7cc158e860>, 'has_streaming_input': False, 'auth_type': None}}

So when the request is made to a us-gov AWS endpoint, even though the request has the aws partition, the response arn has the aws-us-gov partition.

Also - there's a typo in the Description response field.... could report to AWS

Gojko Adzic
@gojko
@Hunger_Artist_twitter great, that means we can most likely use the policy directly. I think I'm actually done then, just running integration tests now and assuming they pass I'll be able to give you a version to test
Gojko Adzic
@gojko
@Hunger_Artist_twitter could you give the version on github a test? you should be able to install it directly using 'npm install claudiajs/claudia -D' (as a dev dependency to your current project, then it will be available in path to npm scripts; or use -g for a global install)
John de Freitas
@Hunger_Artist_twitter

@gojko - Thanks, will try out that version before the end of the day (I'm in the eastern US timezone).

Does this version address the discrepancy between the AWS_REGION envvar and the --region command-line parameter mentioned here? :

:point_up: August 23, 2019 12:18 AM

Gojko Adzic
@gojko
@Hunger_Artist_twitter it should, but again I can't test it properly, so I'll need you to confirm
Gojko Adzic
@gojko
@/all claudia 5.8 is now on NPM, with support for SNS topic filters, dead letter queues, and hopefully working with other AWS partitions. Check out the news post for more info https://claudiajs.com/news/2019/08/29/claudia-5.8.html
Adam Pehas
@pehaada
Curious is there a way to run my api builder locally to help me debug?
almost like I'm starting up an express server and I can hit my API locally
I get that I can locally execute my function. What I was hoping to do is to fire up the api on my local machine for debugging
Gojko Adzic
@gojko
@pehaada I don't know of any tools that simulate api gw correctly. there were several attempts to build something like that, but it always becomes too complicated.
Ross Coundon
@rcoundon
@pehaada I've wondered about combining Stackery with Claudia for this kind of use case but haven't had time to pursue it yet - https://www.stackery.io/
Slobodan Stojanović
@stojanovic
@pehaada there’s this package, but I never tried it and I am not sure if it is still maintained: https://www.npmjs.com/package/claudia-local-api.
Not sure if stackery requires CloudFormation.
Ross Coundon
@rcoundon

In the docs for create it says:
--subnet-ids: (optional) ...At least one subnet is required if you are using VPC access....

Can I set the VPC via the create command ? I don't see docs for that

Ross Coundon
@rcoundon
Nevermind - I can see it's worked out the VPC from the subnets and/or security group
aleemb
@aleemb
Should I be aware of any configuration or workarounds if I intend to use Claudia for AWS Lambda + ELB? I cannot afford to use APIG because of the cost implications.
Gojko Adzic
@gojko
@aleemb we haven’t done any ELB configuration shortcuts yet, so you may need to wire it up to ELB manually - or perhaps contribute a wiring command for ELB event sources
aleemb
@aleemb
@gojko Alright, I'll do the manual wiring, am just getting started. Since there will be no APIG support would you suggest I use your "Running Express apps in AWS Lambda" guide?
nm, that guide is geared toward APIG
Gojko Adzic
@gojko
@aleemb yep, HTTPS processing with Claudia is currently completely APIG related
The aws-serverless-express library we use to bring express apps up also needs the apig proxy events, so it won’t work out of the box
aleemb
@aleemb
@gojko would be good at some point to add some support and examples around this. For now, I am unable to get it working so will continue reading and playing around with it. I keep getting 502 bad gateway. FWIW, I fall in this category of users: https://serverless-training.com/articles/save-money-by-replacing-api-gateway-with-application-load-balancer/#how-to-choose-between-application-load-balancer-and-api-gateway
Gojko Adzic
@gojko
@aleemb I understand there’s a need for this, but it’s not something on our critical path, so it’s unlikely that I’ll have the time to do it. If you or someone else wants to take a stab at it and submit a pull request, I could probably guide you through the steps
aleemb
@aleemb
@gojko So I managed to get things running using aws-serverless-express (v4 ) via https://github.com/awslabs/aws-serverless-express/tree/v4/examples/alb) which made it super easy to wrap my express server using 4 lines. I am pushing the code with Claudia, so it's a good combo.