Comments for Test the APIs

jayair · June 11, 2018, 5:43pm

The status: false is coming from this line (if you are trying to test the create API).

Gavmastaphlex/notes-app/blob/master/create.js#L22


        content: data.content,
        attachment: data.attachment,
        createdAt: Date.now()
    }
};


try {
    await dynamoDbLib.call("put", params);
    callback(null, success(params.Item));
} catch (e) {
    callback(null, failure({ status: false }));
}
}

I would console.log(e) and check in the Lambda logs what the error is.

Gavmastaphlex · June 11, 2018, 10:34pm

So I’ve previously done that with my offline files:

log

And then generated the previously posted Cloudwatch Logs.

Is Cloudwatch Logs the same as the Lambda Logs or am I looking in the wrong place?

Thanks for your help!

Gavmastaphlex · June 11, 2018, 10:44pm

Okay, after a bit of searching I think I’ve finally found the right place.

This is what has been logged after I inserted the console.log(e) a weeks ago:

2018-06-07T03:57:29.946Z e5bce5d3-6a06-11e8-ae7c-c93bc444d725 { AccessDeniedException: User: arn:aws:sts::386309702278:assumed-role/notes-app-api-prod-us-east-2-lambdaRole/notes-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:386309702278:table/notes at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)
2018/06/07/[$LATEST]156d197bfd8b436e95ee4c1b33e7122a
2018-06-07T03:57:29.946Z e5bce5d3-6a06-11e8-ae7c-c93bc444d725 { AccessDeniedException: User: arn:aws:sts::386309702278:assumed-role/notes-app-api-prod-us-east-2-lambdaRole/notes-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:386309702278:table/notes
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: ‘User: arn:aws:sts::386309702278:assumed-role/notes-app-api-prod-us-east-2-lambdaRole/notes-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:386309702278:table/notes’,
code: ‘AccessDeniedException’,
time: 2018-06-07T03:57:29.945Z,
requestId: ‘ALOKGMHC8VD1DGBDMTAJ146SNRVV4KQNSO5AEMVJF66Q9ASUAAJG’,
statusCode: 400,
retryable: false,
retryDelay: 35.35319988644893 }

Any suggestions on what this error is coming up?

notes-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:386309702278:table/notes at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)

Gavmastaphlex · June 11, 2018, 11:18pm

I’ve compared the dynamodbtable details with the serverless.yml file and it seems like it should be okay:

KedarPandhare · June 13, 2018, 5:05pm

I am facing the same error. I have the same code as in the serverless.yml, but still I am getting an error which says " the user is not authorized to perform: dynamodb:PutItem. Is there any solution for this?

HarryChaplain · June 13, 2018, 7:39pm

Im getting a similar error to a few people.
message: ‘User: arn:aws:sts::640390173836:assumed-role/harry-app-api-prod-eu-west-2-lambdaRole/harry-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:eu-west-2:640390173836:table/notes’,
code: ‘AccessDeniedException’,

interestingly one of the comments shows user pool that looks a bit different to mine. Mine looks like this:

I dont think it is my code syntax but it can all be found on my github

jayair · June 13, 2018, 11:09pm

@HarryChaplain Thanks for linking to your repo.

@Gavmastaphlex Thanks for tracking it down.

@KedarPandhare Thanks for reporting.

It seems like a few people are having the exact same issue though nothing has changed on our end. Which version of Serverless are you guys using? I need to try and replicate this.

Gavmastaphlex · June 13, 2018, 11:26pm

From package.json:

“serverless-offline”: “^3.20.3”,
“serverless-webpack”: “^5.1.0”,

jayair · June 13, 2018, 11:37pm

Also run serverless -v in your terminal.

Gavmastaphlex · June 13, 2018, 11:39pm

That results in:

KedarPandhare · June 14, 2018, 1:25am

For me the serverless version is 1.26.1

KedarPandhare · June 14, 2018, 2:03am

@Gavmastaphlex @jayair I found the issue. If you look at this link, you can see that the assumed role(in our case arn:aws:iam::7XXXXXXXXX:role/notes-app-api-prod-us-east-1-lambdaRole) doesn’t have full access to perform an DynamodB table operations.

The link I specified has the explanation that the assumed role should have full access(Admin access) to make the calls to the DynamoDb table. So, I added AdministratorAccess role to our assumed lambda role and then ran the sls deploy. Once deployed I executed the commands –
npx aws-api-gateway-cli-test
–username=‘admin@example.com’
–password=‘Passw0rd!’
–user-pool-id=‘YOUR_COGNITO_USER_POOL_ID’
–app-client-id=‘YOUR_COGNITO_APP_CLIENT_ID’
–cognito-region=‘YOUR_COGNITO_REGION’
–identity-pool-id=‘YOUR_IDENTITY_POOL_ID’
–invoke-url=‘YOUR_API_GATEWAY_URL’
–api-gateway-region=‘YOUR_API_GATEWAY_REGION’
–path-template=’/notes’
–method=‘POST’
–body=’{“content”:“hello world”,“attachment”:“hello.jpg”}’ and i got the result that was expected in the chapter.

KedarPandhare · June 14, 2018, 2:10am

@Gavmastaphlex Attach the Administrator Access policy to the assumed lambda role and then run sls deploy and execute the commands mentioned in the chapter. I think that should work.

HarryChaplain · June 14, 2018, 7:13am

I am running 1.27.3

@Gavmastaphlex im not sure what you mean or how I would do what you are asking. Have you got a screenshot?

HarryChaplain · June 14, 2018, 12:56pm

To save people going down rabbit holes…

I completely restarted the tutorial from scratch and got it working. I didn’t manage to find exactly where I made a mistake but my best guess would be I copied over one of the keys incorrectly.

jayair · June 14, 2018, 5:11pm

@HarryChaplain I took a look at your repo. The iamRoleStatements block is not indented correctly.

github.com

HarryChaplain/harry-app-api/blob/master/serverless.yml#L28


runtime: nodejs8.10
stage: prod
region: eu-west-2
# To load environment variables externally
# rename env.example to env.yml and uncomment
# the following line. Also, make sure to not
# commit your env.yml.
#
#environment: ${file(env.yml):${self:provider.stage}}


iamRoleStatements:
  - Effect: Allow
    Action:
      - dynamodb:DescribeTable
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem
    Resource: "arn:aws:dynamodb:eu-west-2:*:*"

You can compare it to the one from the repo here:

github.com

AnomalyInnovations/serverless-stack-demo-api/blob/add-a-delete-note-api/serverless.yml#L23


  includeModules: true


provider:
name: aws
runtime: nodejs8.10
stage: prod
region: us-east-1


# 'iamRoleStatement' defines the permission policy for the Lambda function.
# In this case Lambda functions are granted with permissions to access DynamoDB.
iamRoleStatements:
  - Effect: Allow
    Action:
      - dynamodb:DescribeTable
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem
    Resource: "arn:aws:dynamodb:us-east-1:*:*"

@Gavmastaphlex @KedarPandhare I would double check the same for you guys as well.

KedarPandhare · June 14, 2018, 5:26pm

@jayair I got it working. Just added AdministratorAccess role to assumed Lambda role and it worked for me.

jayair · June 14, 2018, 10:47pm

That does work but it isn’t great for security. Maybe once you complete the tutorial you can revisit this.

Kalmuraee · June 17, 2018, 5:09pm

I’m getting the following error

npx: installed 103 in 11.638s
Authenticating with User Pool
Getting temporary credentials
Making API request
{ status: 403,
  statusText: 'Forbidden',
  data: 
   { message: 'Credential should be scoped to a valid region, not \'eu-cerntral-1\'. ' } }

It would be better to have this tutorial on postman .

hosmer · June 17, 2018, 10:08pm

@jayair I am getting following error, please look into it:
Token is not from a supported provider of this identity pool.

Topic		Replies	Views
Test the Configured APIs Chapter Comments	54	7551	June 26, 2021
Deploy the APIs Chapter Comments	117	10576	May 15, 2021
Debugging Serverless API Issues Chapter Comments	34	5015	August 8, 2018
Add a Create Note API Chapter Comments	251	17491	May 15, 2021
Connect to API Gateway with IAM Auth Chapter Comments	36	1942	May 9, 2018

Comments for Test the APIs

Related topics