Open HAK-CODE opened 2 years ago
Thanks for raising this issue @HAK-CODE
I do confirm this behavior locally that SAM CLI don't resolve AWS::Region
and AWS::AccountId
correctly. It is using some pre-defined fields in here.
You can set the correct region by setting AWS_REGION
environment variable, but there is no way to do same thing with AccountId
.
I will tag this as feature request and will be prioritized later. In the mean time, I can recommend using sam sync
to test your lambda functions in the cloud. Since it will be deployed, these parameters should be resolved and you shouldn't face this issue. Any feedback about sam sync
is greatly appreciated.
Thanks!
Hi @mndeveci ,
Thanks for you response, could you please check and confirm as i set AWS_REGION
in my environment variable as us-east-2
but still it set as us-east-1
botocore.errorfactory.InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the GetLayerVersion operation: Invalid Layer name: arn:aws:lambda:us-east-1:017000801446:layer:AWSLambdaPowertoolsPython
Command stopped: "sam local invoke"
2022-09-10 11:34:26 [ERROR]: Failed to run SAM application locally: "sam local invoke" command stopped (error code: 1)
For what it's worth, I'm also getting this issue. Specifically I'm trying to invoke one lambda from another using sam local invoke
but getting the same error:
User: arn:aws:iam::[ACCOUNT_ID]:user/[USERNAME] is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-2:123456789012:function:meshii-mine-token because no resource-based policy allows the lambda:InvokeFunction action.
Defining a policy in template.yml
with wildcards for actions and resources has no affect. Even grating a policy/role to my default user with the correct permissions has no affect.
I'm assuming it's an issue with the assigned default account ID when using local invoke
– it doesn't seem like changing 123456789012
to anything else is possible..
Have seen a similar issue in sam build
when building a lambda container. The SAM template has AWS::AccountId
inside it which I am passing to docker as an argument as need it in the Dockerfile. Always get 123456789012
even when --profile
is set.
What I've noticed is that you need to use !Sub
when you use such variables, so instead of using
AcmCertificateArn: arn:aws:acm:${AWS::Region}:${AWS::AccountId}:certificate/11cc0ad5-02f2-33da-9e73-a4a64dd350c9
You need to use
AcmCertificateArn: !Sub arn:aws:acm:${AWS::Region}:${AWS::AccountId}:certificate/11cc0ad5-02f2-33da-9e73-a4a64dd350c9
Thanks, Sub works on a deploy but not on a build
I am trying sam local invoke with terraform. Neither adding "--region=us-west-2", nor "export AWS_REGION=us-west-2" made any difference in the outcome.
I still get:
Error: An error occurred (InvalidParameterValueException) when calling the GetLayerVersion operation: Invalid Layer name: arn:aws:lambda:
I'm getting a similar error, but it's due to having Lambda Insights turned on, apparently. Error: An error occurred (InvalidParameterValueException) when calling the GetLayerVersion operation: Invalid Layer name: arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension
I'm actually running this stack in us-west-2, but this region and account number seem to be coming from enabling Lambda Insights, so I'm guessing that's an AWS internal account/region deployment thing.
I confirmed the insights setting is the culprit. If I comment out this line in my Lambda CDK construct, the sam local invoke works.
Is there any advice for using SAM local invoke with Lambda insights enabled? I suppose turning it off for dev is not the end of the world, but it would be nice to not have this setting be compatible with local testing.
Environment
Detail Description I have a python SAM application which template is defined here
It is deployed and running on cloud but I wanted to test it locally for which i use this command
Default profile is set with AWS Admin access but when I run this I get this
One this to notice is
arn:aws:lambda:us-east-1:123456789012:layer:common-layer
though my aws profile and config point tous-east-2
and account also dummy then I tried to hard code this (btw this layer is already deployed on cloud) but still no success, am I making any mistake can we overwrite psedu-parameters like${AWS::AccountId}
.