Debugging Serverless API Issues

Chapter Comments
1

From @jayair on Fri Oct 06 2017 22:39:26 GMT+0000 (UTC)

Link to chapter - https://serverless-stack.com/chapters/debugging-serverless-api-issues.html

Copied from original issue: https://github.com/AnomalyInnovations/serverless-stack-com/issues/147

2

From @hollyewhite on Wed Nov 08 2017 17:13:38 GMT+0000 (UTC)

Hi there!

Question for you. Might be a newbie one -

When I try to invoke the role in the policy simulator, I don’t have the same options as you. Here’s what I have: https://screencast.com/t/izAbP7wm Any idea why?

Trying to troubleshoot a status 403!

Thanks in advance!
-Holly

3

From @jayair on Thu Nov 09 2017 18:40:19 GMT+0000 (UTC)

@hollyewhite Yeah it looks like they’ve changed the interface a bit. But I tried it just now with the same instructions in the tutorial and it worked.

screen shot 2017-11-09 at 1 39 00 pm
32623227-6d8e395a-c553-11e7-80b6-1017c282e90d.png1920×806 93.7 KB

We’ll update the screenshots soon. But let me know if this doesn’t work for you.

4

From @jayair on Fri Nov 10 2017 00:50:07 GMT+0000 (UTC)

@hollyewhite Just updated the screenshots - https://github.com/AnomalyInnovations/serverless-stack-com/commit/02bb75eeb579f36397bd2402cc7f21e7295ff1ce

5

From @hollyewhite on Fri Nov 10 2017 00:56:35 GMT+0000 (UTC)

Thank you @jayair! I appreciate it. I ended up having a credential issue. There are so many! I might hit you up for more questions though. This is my first time building a serverless app and honestly, I don’t know how I would have figured it out without this tutorial. You’re a rockstar.

6

From @l0rdr4t on Sun Nov 19 2017 05:47:01 GMT+0000 (UTC)

I’m currently walking through this tutorial (awesome work, by the way). My apig-test was throwing a “403 Forbidden”:

Message: 'User: arn:aws:sts::123456789012:assumed-role/Cognito_testAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-southeast-2:********5495:a1b2c3d4e5/prod/POST/notes' }

I had to edit the Cognito Auth_Role policy and add the ExecuteAPI service – this made the API start working, and now I’m wondering if I did something wrong or a step is missing from the Role creation?

7

From @jayair on Wed Nov 22 2017 18:17:29 GMT+0000 (UTC)

@l0rdr4t In this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html we add a line to the auth role. Is that the one you had to do?

8

From @l0rdr4t on Thu Nov 23 2017 16:10:54 GMT+0000 (UTC)

@jayair Thanks for the reply, and yes – now I know where I went wrong; user error and not the documentation!

In my project, the end user won’t be uploading documents to an S3 bucket. I intentionally left out the Policy Action s3:* but accidentally left out Policy Action execute-api:Invoke, which was in the same code block.

9

From @jayair on Sun Nov 26 2017 18:22:13 GMT+0000 (UTC)

@l0rdr4t Thanks for reporting back!

10

From @nuyulcore on Wed Mar 28 2018 11:45:37 GMT+0000 (UTC)

Hello I got this message, when I try to add new note.
“No credentials” Everbody know how to solve it?

11

From @jayair on Wed Mar 28 2018 15:10:54 GMT+0000 (UTC)

@mbahfauz Can I see the full error?

12

I stop at the “Test the API” because the error came from executing the following statement.

Making API request
{ status: 403,
  statusText: 'Forbidden',
  data: { Message: 'User: arn:aws:sts::********4193:assumed-role/Cognito_notesidentitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********4193:*******j67/dev/POST/notes' } }

Then I following the “Debugging the Serverless API issues”. I start the IAM Policy Simulator, I got this error message Implicitly denied (no matching statements). This is the ARN "arn:aws:executeapi:us-east-1:*:*******j67/*". The *******j67 come from "POST - https://*******j67.execute-api.us-east-1.amazonaws.com/dev/notes.

This is the warning from Execute API You chose actions that require the execute-api-general resource type" and from Resource "One or more actions may not support this resource..

Thanks for the help,

James

13

Can you make sure that this block has been added properly

{
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"
      ],
      "Resource": [
        "arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*"
      ]
    }

This is a part of this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html.

14

I copy from the instructions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::notes-upload-16/private/${cognito-identity.amazonaws.com:sub}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:executeapi:us-east-1:*:*******j67/*"
            ]
        }
    ]
}
15

You might be missing a hyphen here executeapi. It should be execute-api.

16

Yes. It’s worked now. The return status is 200.

Thanks for the help,

James

1 Like
17

Hello. Basically I followed the guide step by step and when I reached the Create Note page chapter, the response to clicking the Create Button is an alert box saying “Error: Network Error”, in console it says:
“Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://vipxx07lin.execute-api.us-east-2.amazonaws.com/prod/notes. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).”.
I was adviced by Jay to enable logging in Cloudwatch. Followed this guide:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
After the guide, waited a few minutes, recreated the error but in Cloudwatch I can’t see any new logs. Please help and please specify detailed instructions for logging if necessary.

Screenshot_20180709_005613
Screenshot_20180709_005613.png1365×679 89.5 KB

18

Sorry I should have been more specific. You need to enable API Gateway and Lambda logs. Not sure if you’ve done that yet.

19

Thanks for the answer Jay. Yes I have enabled Cloudwatch logging of both. I went to
IAM > Roles> APIGatewayCloudWatchLogs,
IAM > Roles> notes-app-api-prod-us-east-2-lambdaRole
then to permissions tab and JSON button. Both have this block:

{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogStreams”
],
“Resource”: [
“arn:aws:logs:::*”
]
}

20

I see. In that case let’s do a quick check. Can you post your serverless.yml here?