Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 01 2016 23:48
    @gojko banned @codepreneur
John de Freitas
@Hunger_Artist_twitter

And though I'm already passing --region us-gov-west-1, if I also export AWS_REGION=us-gov-west-1, I get a bit further. The IAM role is created, though no permissions are added to it.

The error is MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:*:*:*"..
This is usually the case when an arn in a Gov Cloud region begins with arn:aws:... and not arn:aws-us-gov:...

John de Freitas
@Hunger_Artist_twitter
As it turns out, json-templates/log-writer.json hard-codes the "Resource": "arn:aws:logs:*:*:*" line. Once I changed that to "Resource": "arn:aws-us-gov:logs:*:*:*", everything worked. So perhaps there can be some logic to toggle between different resources, depending on the region. As well as the strange behavior where --region passed on the command line is insufficient, and the AWS_REGION envvar is required.
And although I haven't tested it, I expect a similar issue will affect the two AWS China regions, which use the aws-cn arn partition.
Gojko Adzic
@gojko
@Hunger_Artist_twitter thanks for such a detailed troubleshooting log. I guess this is the first time anyone tried to use claudia for the isolated gov region :) I’ll check if we’re hard-coding it anywhere else
Gojko Adzic
@gojko
@Hunger_Artist_twitter I've created an issue on github to track progress for this claudiajs/claudia#201
red-made
@red-made
I've a strange problem, I have a backend in aws lambda based on claudia.js api builder.. I've discovered a strange thing, when I register as a new user and the scripts is rejected the lambda retrieve error and stop the execution and in DB no new user is created. But when I fix the data and resubmit the registration on db I see two new user, one with the correct data and one with the previous wrong data, seems that a new lambda execution start from the end of the previous after the reject. Here some example code: https://pastebin.com/PwpzLArs
John de Freitas
@Hunger_Artist_twitter
Thanks @gojko . I'm also happy to help out and test potential patches/fixes.
Gojko Adzic
@gojko
@red-made make sure you are not caching something across requests in the global context. Lambda is not stateless, and it can decide to reuse a container across requests. So if you have some kind of prepared request in the global context, and it gets created once but then appended during request processing, it will try to submit the data from the cached thing as well
@Hunger_Artist_twitter thanks. I’ll definitely need help testing because I can’t really reproduce the error (no government account)
Gojko Adzic
@gojko
@Hunger_Artist_twitter looking at the gov regions now, there also seems to be some difference between FIPS and non FIPS endpoints. Is this important to you, should you be able to select between the two or do we always go for the FIPS version?
also, I'm trying to find a reliable way to identify the partition - when you run aws sts get-caller-identity, does it include the gov partition in the ARN result, or does it include the aws partition?
NeverMinD
@xenowing
hi
raedwa01
@raedwa01
I'm having a slight problem. I have data in a mariadb and am able to get my lambda to query it just fine. The problem is that I cannot seem to get the results to return back in the response.
I went ahead and created a separate express file and added a require for the handler i created. I had to create the following code to get a response to work in express
app.get('/myproc', async (req, res) => { let tmp = await myhandler.myfunction(); res.status(200).send(tmp); })
raedwa01
@raedwa01
In the api.js for my lambda, i used api.get('/myproc', async () => { return await myhandler.myfunction() } )
I know the connection is connecting to the database, I write the results to the console in the middle of the query execution. The results never show on the webpage when I run it though.
Ravi
@ivar891_gitlab
@raedwa01 can you just send the result using return and see if it helps
John de Freitas
@Hunger_Artist_twitter
@gojko : The output of aws sts get-caller-identity includes the gov partition in the ARN:
{
    "UserId": "AI....",
    "Account": ".....",
    "Arn": "arn:aws-us-gov:iam::<the account number>:user/<user name>"
}
You bring up a good point with the FIPS vs non-FIPS endpoints. If it simplifies things, many of the common/relevant services only have one or the other (S3 and Lambda are notable exceptions). I think I would default to the FIPS endpoint, since it should only affect the TLS session between the client and AWS endpoint (so, the set of cipher suites is strict, and the modules used to implement those endpoints are validated).
Gojko Adzic
@gojko

@Hunger_Artist_twitter I got it almost done... can you please check just one more thing for me. Do you have access to this policy:

aws iam get-policy --policy-arn 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole'

if not, if there an equivalent policy in your partition?

John de Freitas
@Hunger_Artist_twitter

@gojko This is pretty interesting. Running the command aws iam get-policy --policy-arn 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole' returns:

{
    "Policy": {
        "PolicyName": "AWSLambdaKinesisExecutionRole",
        "PolicyId": "AN...",
        "Arn": "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole",
        "Path": "/service-role/",
        "DefaultVersionId": "v2",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "Description": "Provides list and ead access to Kinesis streams and write permissions to CloudWatch logs.",
        "CreateDate": "2017-05-08T18:26:34Z",
        "UpdateDate": "2018-11-19T20:09:32Z"
    }
}

Running the above with --debug outputs the following request line:

2019-08-28 00:36:43,518 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetPolicy) (verify_ssl=True) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.14.44 Python/3.6.8 Linux/4.15.0-1044-aws botocore/1.8.48'}, 'body': {'Action': 'GetPolicy', 'Version': '2010-05-08', 'PolicyArn': 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole'}, 'url': 'https://iam.us-gov.amazonaws.com/', 'context': {'client_region': 'aws-us-gov-global', 'client_config': <botocore.config.Config object at 0x7f7cc158e860>, 'has_streaming_input': False, 'auth_type': None}}

So when the request is made to a us-gov AWS endpoint, even though the request has the aws partition, the response arn has the aws-us-gov partition.

Also - there's a typo in the Description response field.... could report to AWS

Gojko Adzic
@gojko
@Hunger_Artist_twitter great, that means we can most likely use the policy directly. I think I'm actually done then, just running integration tests now and assuming they pass I'll be able to give you a version to test
Gojko Adzic
@gojko
@Hunger_Artist_twitter could you give the version on github a test? you should be able to install it directly using 'npm install claudiajs/claudia -D' (as a dev dependency to your current project, then it will be available in path to npm scripts; or use -g for a global install)
John de Freitas
@Hunger_Artist_twitter

@gojko - Thanks, will try out that version before the end of the day (I'm in the eastern US timezone).

Does this version address the discrepancy between the AWS_REGION envvar and the --region command-line parameter mentioned here? :

:point_up: August 23, 2019 12:18 AM

Gojko Adzic
@gojko
@Hunger_Artist_twitter it should, but again I can't test it properly, so I'll need you to confirm
Gojko Adzic
@gojko
@/all claudia 5.8 is now on NPM, with support for SNS topic filters, dead letter queues, and hopefully working with other AWS partitions. Check out the news post for more info https://claudiajs.com/news/2019/08/29/claudia-5.8.html
Adam Pehas
@pehaada
Curious is there a way to run my api builder locally to help me debug?
almost like I'm starting up an express server and I can hit my API locally
I get that I can locally execute my function. What I was hoping to do is to fire up the api on my local machine for debugging
Gojko Adzic
@gojko
@pehaada I don't know of any tools that simulate api gw correctly. there were several attempts to build something like that, but it always becomes too complicated.
Ross Coundon
@rcoundon
@pehaada I've wondered about combining Stackery with Claudia for this kind of use case but haven't had time to pursue it yet - https://www.stackery.io/
Slobodan Stojanović
@stojanovic
@pehaada there’s this package, but I never tried it and I am not sure if it is still maintained: https://www.npmjs.com/package/claudia-local-api.
Not sure if stackery requires CloudFormation.
Ross Coundon
@rcoundon

In the docs for create it says:
--subnet-ids: (optional) ...At least one subnet is required if you are using VPC access....

Can I set the VPC via the create command ? I don't see docs for that

Ross Coundon
@rcoundon
Nevermind - I can see it's worked out the VPC from the subnets and/or security group
aleemb
@aleemb
Should I be aware of any configuration or workarounds if I intend to use Claudia for AWS Lambda + ELB? I cannot afford to use APIG because of the cost implications.
Gojko Adzic
@gojko
@aleemb we haven’t done any ELB configuration shortcuts yet, so you may need to wire it up to ELB manually - or perhaps contribute a wiring command for ELB event sources
aleemb
@aleemb
@gojko Alright, I'll do the manual wiring, am just getting started. Since there will be no APIG support would you suggest I use your "Running Express apps in AWS Lambda" guide?
nm, that guide is geared toward APIG
Gojko Adzic
@gojko
@aleemb yep, HTTPS processing with Claudia is currently completely APIG related
The aws-serverless-express library we use to bring express apps up also needs the apig proxy events, so it won’t work out of the box
aleemb
@aleemb
@gojko would be good at some point to add some support and examples around this. For now, I am unable to get it working so will continue reading and playing around with it. I keep getting 502 bad gateway. FWIW, I fall in this category of users: https://serverless-training.com/articles/save-money-by-replacing-api-gateway-with-application-load-balancer/#how-to-choose-between-application-load-balancer-and-api-gateway
Gojko Adzic
@gojko
@aleemb I understand there’s a need for this, but it’s not something on our critical path, so it’s unlikely that I’ll have the time to do it. If you or someone else wants to take a stab at it and submit a pull request, I could probably guide you through the steps
aleemb
@aleemb
@gojko So I managed to get things running using aws-serverless-express (v4 ) via https://github.com/awslabs/aws-serverless-express/tree/v4/examples/alb) which made it super easy to wrap my express server using 4 lines. I am pushing the code with Claudia, so it's a good combo.
Chant Long
@chantlong_twitter

I am using Claudia API Builder.
The endpoint that I created when hit 20 times at the same time produces the following error. 

ThrottlingException: Rate exceeded

I basically have a for loop that loops over 20 times and in each loop it calls the Claudia API Endpoint.
I do not have throttling enabled for API Gateway so it should be like the following.
Your current account level throttling rate is 10000 requests per second with a burst of 5000 requests
So I don't get why I get this error

Gojko Adzic
@gojko
@chantlong_twitter check the throttling settings for your api in the aws web console - look for the deployed stage in the api gateway web page. if may be something that's set on your API implicitly, claudia does not set any throttling limits; if the AWS web console doesn't show any throttling for that endpoint, it's best to check with AWS support, they will then be able to figure out what is causing the issue
Chant Long
@chantlong_twitter
@gojko Thanks will try that out.
Sébastien Fichot
@sebastienfi
Hi there! Anybody pass custom headers through Amazon API Gateway to AWS Lambda with ClaudiaJS? Integration Request should not use Lambda Proxy integration but a mapping template which allows custom headers sent with POST to be pass to the Lambda... Any idea ?
Gojko Adzic
@gojko
@sebastienfi claudia only uses the proxy integration, and passes things through to Lambda. If you want to enrich requests as they are passing through API Gateway, the typical solution for that with claudia would be to use stage variables in API Gateway, not custom headers. you can read those variables out from the request object in Lambda then
Sébastien Fichot
@sebastienfi
@gojko can you point the direction to an example of that?
Gojko Adzic
@gojko
check out the section on api gateway variables here: https://claudiajs.com/tutorials/versions.html