Debugging Serverless API Issues


#1

From @jayair on Fri Oct 06 2017 22:39:26 GMT+0000 (UTC)

Link to chapter - https://serverless-stack.com/chapters/debugging-serverless-api-issues.html

Copied from original issue: https://github.com/AnomalyInnovations/serverless-stack-com/issues/147


#2

From @hollyewhite on Wed Nov 08 2017 17:13:38 GMT+0000 (UTC)

Hi there!

Question for you. Might be a newbie one -

When I try to invoke the role in the policy simulator, I don’t have the same options as you. Here’s what I have: https://screencast.com/t/izAbP7wm Any idea why?

Trying to troubleshoot a status 403!

Thanks in advance!
-Holly


#3

From @jayair on Thu Nov 09 2017 18:40:19 GMT+0000 (UTC)

@hollyewhite Yeah it looks like they’ve changed the interface a bit. But I tried it just now with the same instructions in the tutorial and it worked.

We’ll update the screenshots soon. But let me know if this doesn’t work for you.


#4

From @jayair on Fri Nov 10 2017 00:50:07 GMT+0000 (UTC)

@hollyewhite Just updated the screenshots - https://github.com/AnomalyInnovations/serverless-stack-com/commit/02bb75eeb579f36397bd2402cc7f21e7295ff1ce


#5

From @hollyewhite on Fri Nov 10 2017 00:56:35 GMT+0000 (UTC)

Thank you @jayair! I appreciate it. I ended up having a credential issue. There are so many! I might hit you up for more questions though. This is my first time building a serverless app and honestly, I don’t know how I would have figured it out without this tutorial. You’re a rockstar.


#6

From @l0rdr4t on Sun Nov 19 2017 05:47:01 GMT+0000 (UTC)

I’m currently walking through this tutorial (awesome work, by the way). My apig-test was throwing a “403 Forbidden”:

Message: 'User: arn:aws:sts::123456789012:assumed-role/Cognito_testAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-southeast-2:********5495:a1b2c3d4e5/prod/POST/notes' }

I had to edit the Cognito Auth_Role policy and add the ExecuteAPI service – this made the API start working, and now I’m wondering if I did something wrong or a step is missing from the Role creation?


#7

From @jayair on Wed Nov 22 2017 18:17:29 GMT+0000 (UTC)

@l0rdr4t In this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html we add a line to the auth role. Is that the one you had to do?


#8

From @l0rdr4t on Thu Nov 23 2017 16:10:54 GMT+0000 (UTC)

@jayair Thanks for the reply, and yes – now I know where I went wrong; user error and not the documentation!

In my project, the end user won’t be uploading documents to an S3 bucket. I intentionally left out the Policy Action s3:* but accidentally left out Policy Action execute-api:Invoke, which was in the same code block.


#9

From @jayair on Sun Nov 26 2017 18:22:13 GMT+0000 (UTC)

@l0rdr4t Thanks for reporting back!


#10

From @nuyulcore on Wed Mar 28 2018 11:45:37 GMT+0000 (UTC)

Hello I got this message, when I try to add new note.
“No credentials” Everbody know how to solve it?


#11

From @jayair on Wed Mar 28 2018 15:10:54 GMT+0000 (UTC)

@mbahfauz Can I see the full error?


#12

I stop at the “Test the API” because the error came from executing the following statement.

Making API request
{ status: 403,
  statusText: 'Forbidden',
  data: { Message: 'User: arn:aws:sts::********4193:assumed-role/Cognito_notesidentitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********4193:*******j67/dev/POST/notes' } }

Then I following the “Debugging the Serverless API issues”. I start the IAM Policy Simulator, I got this error message Implicitly denied (no matching statements). This is the ARN "arn:aws:executeapi:us-east-1:*:*******j67/*". The *******j67 come from "POST - https://*******j67.execute-api.us-east-1.amazonaws.com/dev/notes.

This is the warning from Execute API You chose actions that require the execute-api-general resource type" and from Resource "One or more actions may not support this resource..

Thanks for the help,

James


#13

Can you make sure that this block has been added properly

{
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"
      ],
      "Resource": [
        "arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*"
      ]
    }

This is a part of this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html.


#14

I copy from the instructions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::notes-upload-16/private/${cognito-identity.amazonaws.com:sub}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:executeapi:us-east-1:*:*******j67/*"
            ]
        }
    ]
}

#15

You might be missing a hyphen here executeapi. It should be execute-api.


#16

Yes. It’s worked now. The return status is 200.

Thanks for the help,

James


#17

Hello. Basically I followed the guide step by step and when I reached the Create Note page chapter, the response to clicking the Create Button is an alert box saying “Error: Network Error”, in console it says:
“Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://vipxx07lin.execute-api.us-east-2.amazonaws.com/prod/notes. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).”.
I was adviced by Jay to enable logging in Cloudwatch. Followed this guide:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
After the guide, waited a few minutes, recreated the error but in Cloudwatch I can’t see any new logs. Please help and please specify detailed instructions for logging if necessary.


#18

Sorry I should have been more specific. You need to enable API Gateway and Lambda logs. Not sure if you’ve done that yet.


#19

Thanks for the answer Jay. Yes I have enabled Cloudwatch logging of both. I went to
IAM > Roles> APIGatewayCloudWatchLogs,
IAM > Roles> notes-app-api-prod-us-east-2-lambdaRole
then to permissions tab and JSON button. Both have this block:

{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”,
“logs:DescribeLogStreams”
],
“Resource”: [
“arn:aws:logs:::*”
]
}


#20

I see. In that case let’s do a quick check. Can you post your serverless.yml here?