From @jayair on Fri Oct 06 2017 22:39:26 GMT+0000 (UTC)
Link to chapter - https://serverless-stack.com/chapters/debugging-serverless-api-issues.html
Copied from original issue: https://github.com/AnomalyInnovations/serverless-stack-com/issues/147
From @hollyewhite on Wed Nov 08 2017 17:13:38 GMT+0000 (UTC)
Hi there!
Question for you. Might be a newbie one -
When I try to invoke the role in the policy simulator, I donât have the same options as you. Hereâs what I have: https://screencast.com/t/izAbP7wm Any idea why?
Trying to troubleshoot a status 403!
Thanks in advance!
-Holly
From @jayair on Thu Nov 09 2017 18:40:19 GMT+0000 (UTC)
@hollyewhite Yeah it looks like theyâve changed the interface a bit. But I tried it just now with the same instructions in the tutorial and it worked.
Weâll update the screenshots soon. But let me know if this doesnât work for you.
From @jayair on Fri Nov 10 2017 00:50:07 GMT+0000 (UTC)
@hollyewhite Just updated the screenshots - https://github.com/AnomalyInnovations/serverless-stack-com/commit/02bb75eeb579f36397bd2402cc7f21e7295ff1ce
From @hollyewhite on Fri Nov 10 2017 00:56:35 GMT+0000 (UTC)
Thank you @jayair! I appreciate it. I ended up having a credential issue. There are so many! I might hit you up for more questions though. This is my first time building a serverless app and honestly, I donât know how I would have figured it out without this tutorial. Youâre a rockstar.
From @l0rdr4t on Sun Nov 19 2017 05:47:01 GMT+0000 (UTC)
Iâm currently walking through this tutorial (awesome work, by the way). My apig-test was throwing a â403 Forbiddenâ:
Message: 'User: arn:aws:sts::123456789012:assumed-role/Cognito_testAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-southeast-2:********5495:a1b2c3d4e5/prod/POST/notes' }
I had to edit the Cognito Auth_Role policy and add the ExecuteAPI service â this made the API start working, and now Iâm wondering if I did something wrong or a step is missing from the Role creation?
From @jayair on Wed Nov 22 2017 18:17:29 GMT+0000 (UTC)
@l0rdr4t In this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html we add a line to the auth role. Is that the one you had to do?
From @l0rdr4t on Thu Nov 23 2017 16:10:54 GMT+0000 (UTC)
@jayair Thanks for the reply, and yes â now I know where I went wrong; user error and not the documentation!
In my project, the end user wonât be uploading documents to an S3 bucket. I intentionally left out the Policy Action s3:* but accidentally left out Policy Action execute-api:Invoke, which was in the same code block.
From @nuyulcore on Wed Mar 28 2018 11:45:37 GMT+0000 (UTC)
Hello I got this message, when I try to add new note.
âNo credentialsâ Everbody know how to solve it?
I stop at the âTest the APIâ because the error came from executing the following statement.
Making API request
{ status: 403,
statusText: 'Forbidden',
data: { Message: 'User: arn:aws:sts::********4193:assumed-role/Cognito_notesidentitypoolAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********4193:*******j67/dev/POST/notes' } }
Then I following the âDebugging the Serverless API issuesâ. I start the IAM Policy Simulator, I got this error message Implicitly denied (no matching statements). This is the ARN "arn:aws:executeapi:us-east-1:*:*******j67/*". The *******j67 come from "POST - https://*******j67.execute-api.us-east-1.amazonaws.com/dev/notes.
This is the warning from Execute API You chose actions that require the execute-api-general resource type" and from Resource "One or more actions may not support this resource..
Thanks for the help,
James
Can you make sure that this block has been added properly
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*"
]
}
This is a part of this chapter - https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html.
I copy from the instructions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::notes-upload-16/private/${cognito-identity.amazonaws.com:sub}/*"
]
},
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:executeapi:us-east-1:*:*******j67/*"
]
}
]
}
You might be missing a hyphen here executeapi. It should be execute-api.
Yes. Itâs worked now. The return status is 200.
Thanks for the help,
James
1 Like
Hello. Basically I followed the guide step by step and when I reached the Create Note page chapter, the response to clicking the Create Button is an alert box saying âError: Network Errorâ, in console it says:
âCross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://vipxx07lin.execute-api.us-east-2.amazonaws.com/prod/notes. (Reason: CORS header âAccess-Control-Allow-Originâ missing).â.
I was adviced by Jay to enable logging in Cloudwatch. Followed this guide:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html
After the guide, waited a few minutes, recreated the error but in Cloudwatch I canât see any new logs. Please help and please specify detailed instructions for logging if necessary.
Sorry I should have been more specific. You need to enable API Gateway and Lambda logs. Not sure if youâve done that yet.
Thanks for the answer Jay. Yes I have enabled Cloudwatch logging of both. I went to
IAM > Roles> APIGatewayCloudWatchLogs,
IAM > Roles> notes-app-api-prod-us-east-2-lambdaRole
then to permissions tab and JSON button. Both have this block:
{
âEffectâ: âAllowâ,
âActionâ: [
âlogs:CreateLogGroupâ,
âlogs:CreateLogStreamâ,
âlogs:PutLogEventsâ,
âlogs:DescribeLogStreamsâ
],
âResourceâ: [
âarn:aws:logs:::*â
]
}
I see. In that case letâs do a quick check. Can you post your serverless.yml here?