sam local start-lambda with cfn test in Bitbucket pipeline networking error

[seanmyath]

Description:

Running sam local start-lambda in a Bitbucket pipeline to then run cfn test for my cloudformation hooks. I am trying to test the hooks before deploying.

Have tried all combinations of following flags:

• host
• container-host
• container-host-interface
• docker-network (pretty sure this is limited to only bridge in Bitbucket)

Steps to reproduce:

Have valid Cloudformation hook.

Bitbucket pipeline:

# Prep pipeline
yum update -y &&
yum install -y jq curl unzip git &&
cd hooks/s3-block-public-access/ &&
pip install awscli aws-sam-cli pipenv
pipenv install git+https://github.com/aws-cloudformation/aws-cloudformation-rpdk-python-plugin.git#egg=cloudformation-cli-python-plugin &&

pipenv run cfn submit --dry-run --region [MY REGION] --role-arn "$MYROLE"

Then, main commands:

• nohup sam local start-lambda --debug --host 0.0.0.0 -l /sam-background.log > /sam-background-all.log &
• pipenv run cfn test -v --region [REDACTED REDGION] || echo "sam log------>" && cat /sam-background.log

Observed result:

+ nohup sam local start-lambda --debug --host 0.0.0.0 -l /sam-background.log > /sam-background-all.log &

+ pipenv run cfn test -v --region ap-southeast-2 || echo "sam log------>" && cat /sam-background.log && echo "sam log2------>" && cat /sam-background-all.log
2023-06-21 12:38:47,527 | Config file location: /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/samconfig.toml
2023-06-21 12:38:47,527 | Config file '/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/samconfig.toml' does not exist
2023-06-21 12:38:47,534 | Using SAM Template at /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/template.yml
2023-06-21 12:38:47,560 | Using config file: samconfig.toml, config environment: default
2023-06-21 12:38:47,560 | Expand command line arguments to:
2023-06-21 12:38:47,560 | --template_file=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/template.yml --host=0.0.0.0 --log_file=/sam-background.log --port=3001 --layer_cache_basedir=/root/.aws-sam/layers-pkg --container_host=localhost --container_host_interface=127.0.0.1 
2023-06-21 12:38:47,656 | local start_lambda command is called
2023-06-21 12:38:47,660 | No Parameters detected in the template
2023-06-21 12:38:47,692 | There is no customer defined id or cdk path defined for resource TypeFunction, so we will use the resource logical id as the resource id
2023-06-21 12:38:47,692 | There is no customer defined id or cdk path defined for resource TestEntrypoint, so we will use the resource logical id as the resource id
2023-06-21 12:38:47,692 | 0 stacks found in the template
2023-06-21 12:38:47,692 | No Parameters detected in the template
2023-06-21 12:38:47,716 | There is no customer defined id or cdk path defined for resource TypeFunction, so we will use the resource logical id as the resource id
2023-06-21 12:38:47,717 | There is no customer defined id or cdk path defined for resource TestEntrypoint, so we will use the resource logical id as the resource id
2023-06-21 12:38:47,717 | 2 resources found in the stack 
2023-06-21 12:38:47,717 | Found Serverless function with name='TypeFunction' and CodeUri='build/'
2023-06-21 12:38:47,717 | --base-dir is not presented, adjusting uri build/ relative to /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/template.yml
2023-06-21 12:38:47,717 | Found Serverless function with name='TestEntrypoint' and CodeUri='build/'
2023-06-21 12:38:47,717 | --base-dir is not presented, adjusting uri build/ relative to /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/template.yml
2023-06-21 12:38:47,728 | Starting the Local Lambda Service. You can now invoke your Lambda Functions defined in your template through the endpoint.
2023-06-21 12:38:47,728 | Localhost server is starting up. Multi-threading = True
2023-06-21 12:38:47 WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:3001
 * Running on http://10.38.[REDACTED]:3001
2023-06-21 12:38:47 Press CTRL+C to quit
Validating your hook specification...
============================= test session starts ==============================
platform linux -- Python 3.9.16, pytest-7.3.2, pluggy-1.2.0 -- /root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/bin/python
cachedir: .pytest_cache
hypothesis profile 'default' -> database=DirectoryBasedExampleDatabase('/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/.hypothesis/examples')
Test order randomisation NOT enabled. Enable with --random-order or --random-order-bucket=<bucket_type>
rootdir: /tmp
configfile: pytest_km9gmubq.ini
plugins: localserver-0.7.1, hypothesis-6.79.1, random-order-1.1.0
collecting ... collected 24 items / 17 deselected / 7 selected

2023-06-21 12:38:56,944 | Found one Lambda function with name 'TypeFunction'
2023-06-21 12:38:56,944 | Invoking [REDACTED]_s3blockpublicaccess_hook.handlers.hook (python3.9)
2023-06-21 12:38:56,944 | No environment variables found for function 'TypeFunction'
2023-06-21 12:38:56,944 | Loading AWS credentials from session with profile 'None'
2023-06-21 12:38:56,954 | Resolving code path. Cwd=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access, CodeUri=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:38:56,955 | Resolved absolute path to code is /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:38:56,955 | Code /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build is not a zip/jar file
2023-06-21 12:38:56,960 | Local image was not found.
2023-06-21 12:38:56,960 | Removing rapid images for repo public.ecr.aws/sam/emulation-python3.9
Building image..........................
2023-06-21 12:38:57,969 | Using local image: public.ecr.aws/lambda/python:3.9-rapid-x86_64.

2023-06-21 12:38:57,969 | Mounting /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build as /var/task:ro,delegated, inside runtime container
2023-06-21 12:38:58,273 | Starting a timer for 180 seconds for function 'TypeFunction'
2023-06-21 12:38:58,807 | Cleaning all decompressed code dirs
2023-06-21 12:38:58,807 | Unable to find Click Context for getting session_id.
2023-06-21 12:38:58 127.0.0.1 - - [21/Jun/2023 12:38:58] "POST /2015-03-31/functions/TypeFunction/invocations HTTP/1.1" 200 -
../../../../../../../tmp/hook/handler_pre_create.py::contract_pre_create_success FAILED [ 14%]
2023-06-21 12:39:02,421 | Found one Lambda function with name 'TypeFunction'
2023-06-21 12:39:02,421 | Invoking [REDACTED]_s3blockpublicaccess_hook.handlers.hook (python3.9)
2023-06-21 12:39:02,421 | No environment variables found for function 'TypeFunction'
2023-06-21 12:39:02,421 | Resolving code path. Cwd=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access, CodeUri=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:02,421 | Resolved absolute path to code is /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:02,421 | Code /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build is not a zip/jar file
2023-06-21 12:39:02,432 | Cleaning all decompressed code dirs
2023-06-21 12:39:02,432 | Exception on /2015-03-31/functions/TypeFunction/invocations [POST]
Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 268, in _raise_for_status
    response.raise_for_status()
  File "/var/lang/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 196, in build
    self._check_base_image_is_current(base_image)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 470, in _check_base_image_is_current
    if self.is_base_image_current(image_name):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 494, in is_base_image_current
    return self.get_local_image_digest(image_name) == self.get_remote_image_digest(image_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 510, in get_remote_image_digest
    remote_info = self.docker_client.images.get_registry_data(image_name)
  File "/var/lang/lib/python3.9/site-packages/docker/models/images.py", line 356, in get_registry_data
    attrs=self.client.api.inspect_distribution(name, auth_config),
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 34, in wrapper
    return f(self, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 19, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/api/image.py", line 287, in inspect_distribution
    return self._result(
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 274, in _result
    self._raise_for_status(response)
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 270, in _raise_for_status
    raise create_api_error_from_http_exception(e) from e
  File "/var/lang/lib/python3.9/site-packages/docker/errors.py", line 39, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation) from e
docker.errors.APIError: 403 Client Error for http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json: Forbidden ("authorization denied by plugin pipelines: ")

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 2529, in wsgi_app
    response = self.full_dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambda_service/local_lambda_invoke_service.py", line 169, in _invoke_request_handler
    self.lambda_runner.invoke(function_name, request_data, stdout=stdout_stream_writer, stderr=self.stderr)
  File "/var/lang/lib/python3.9/site-packages/samcli/commands/local/lib/local_lambda.py", line 144, in invoke
    self.local_runtime.invoke(
  File "/var/lang/lib/python3.9/site-packages/samcli/lib/telemetry/metric.py", line 324, in wrapped_func
    return_value = func(*args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 189, in invoke
    container = self.create(function_config, debug_context, container_host, container_host_interface)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 85, in create
    container = LambdaContainer(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 94, in __init__
    image = LambdaContainer._get_image(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 237, in _get_image
    return lambda_image.build(runtime, packagetype, image, layers, architecture, function_name=function_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 213, in build
    raise DockerDistributionAPIError("Unknown API error received from docker") from e
samcli.commands.local.cli_common.user_exceptions.DockerDistributionAPIError: Unknown API error received from docker
2023-06-21 12:39:02 127.0.0.1 - - [21/Jun/2023 12:39:02] "POST /2015-03-31/functions/TypeFunction/invocations HTTP/1.1" 500 -
../../../../../../../tmp/hook/handler_pre_create.py::contract_pre_create_failed FAILED [ 28%]
../../../../../../../tmp/hook/handler_pre_create.py::contract_pre_create_failed_unsupported_target SKIPPED [ 42%]
2023-06-21 12:39:05,966 | Found one Lambda function with name 'TypeFunction'
2023-06-21 12:39:05,966 | Invoking [REDACTED]_s3blockpublicaccess_hook.handlers.hook (python3.9)
2023-06-21 12:39:05,966 | No environment variables found for function 'TypeFunction'
2023-06-21 12:39:05,966 | Resolving code path. Cwd=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access, CodeUri=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:05,966 | Resolved absolute path to code is /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:05,966 | Code /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build is not a zip/jar file
2023-06-21 12:39:05,977 | Cleaning all decompressed code dirs
2023-06-21 12:39:05,977 | Exception on /2015-03-31/functions/TypeFunction/invocations [POST]
Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 268, in _raise_for_status
    response.raise_for_status()
  File "/var/lang/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 196, in build
    self._check_base_image_is_current(base_image)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 470, in _check_base_image_is_current
    if self.is_base_image_current(image_name):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 494, in is_base_image_current
    return self.get_local_image_digest(image_name) == self.get_remote_image_digest(image_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 510, in get_remote_image_digest
    remote_info = self.docker_client.images.get_registry_data(image_name)
  File "/var/lang/lib/python3.9/site-packages/docker/models/images.py", line 356, in get_registry_data
    attrs=self.client.api.inspect_distribution(name, auth_config),
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 34, in wrapper
    return f(self, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 19, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/api/image.py", line 287, in inspect_distribution
    return self._result(
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 274, in _result
    self._raise_for_status(response)
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 270, in _raise_for_status
    raise create_api_error_from_http_exception(e) from e
  File "/var/lang/lib/python3.9/site-packages/docker/errors.py", line 39, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation) from e
docker.errors.APIError: 403 Client Error for http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json: Forbidden ("authorization denied by plugin pipelines: ")

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 2529, in wsgi_app
    response = self.full_dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambda_service/local_lambda_invoke_service.py", line 169, in _invoke_request_handler
    self.lambda_runner.invoke(function_name, request_data, stdout=stdout_stream_writer, stderr=self.stderr)
  File "/var/lang/lib/python3.9/site-packages/samcli/commands/local/lib/local_lambda.py", line 144, in invoke
    self.local_runtime.invoke(
  File "/var/lang/lib/python3.9/site-packages/samcli/lib/telemetry/metric.py", line 324, in wrapped_func
    return_value = func(*args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 189, in invoke
    container = self.create(function_config, debug_context, container_host, container_host_interface)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 85, in create
    container = LambdaContainer(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 94, in __init__
    image = LambdaContainer._get_image(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 237, in _get_image
    return lambda_image.build(runtime, packagetype, image, layers, architecture, function_name=function_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 213, in build
    raise DockerDistributionAPIError("Unknown API error received from docker") from e
samcli.commands.local.cli_common.user_exceptions.DockerDistributionAPIError: Unknown API error received from docker
2023-06-21 12:39:05 127.0.0.1 - - [21/Jun/2023 12:39:05] "POST /2015-03-31/functions/TypeFunction/invocations HTTP/1.1" 500 -
../../../../../../../tmp/hook/handler_pre_update.py::contract_pre_update_success FAILED [ 57%]
2023-06-21 12:39:09,412 | Found one Lambda function with name 'TypeFunction'
2023-06-21 12:39:09,412 | Invoking [REDACTED]_s3blockpublicaccess_hook.handlers.hook (python3.9)
2023-06-21 12:39:09,413 | No environment variables found for function 'TypeFunction'
2023-06-21 12:39:09,413 | Resolving code path. Cwd=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access, CodeUri=/opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:09,413 | Resolved absolute path to code is /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build
2023-06-21 12:39:09,413 | Code /opt/atlassian/pipelines/agent/build/hooks/s3-block-public-access/build is not a zip/jar file
2023-06-21 12:39:09,429 | Cleaning all decompressed code dirs
2023-06-21 12:39:09,430 | Exception on /2015-03-31/functions/TypeFunction/invocations [POST]
Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 268, in _raise_for_status
    response.raise_for_status()
  File "/var/lang/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 196, in build
    self._check_base_image_is_current(base_image)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 470, in _check_base_image_is_current
    if self.is_base_image_current(image_name):
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 494, in is_base_image_current
    return self.get_local_image_digest(image_name) == self.get_remote_image_digest(image_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 510, in get_remote_image_digest
    remote_info = self.docker_client.images.get_registry_data(image_name)
  File "/var/lang/lib/python3.9/site-packages/docker/models/images.py", line 356, in get_registry_data
    attrs=self.client.api.inspect_distribution(name, auth_config),
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 34, in wrapper
    return f(self, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/utils/decorators.py", line 19, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/docker/api/image.py", line 287, in inspect_distribution
    return self._result(
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 274, in _result
    self._raise_for_status(response)
  File "/var/lang/lib/python3.9/site-packages/docker/api/client.py", line 270, in _raise_for_status
    raise create_api_error_from_http_exception(e) from e
  File "/var/lang/lib/python3.9/site-packages/docker/errors.py", line 39, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation) from e
docker.errors.APIError: 403 Client Error for http://localhost:2375/v1.35/distribution/public.ecr.aws/lambda/python:3.9-x86_64/json: Forbidden ("authorization denied by plugin pipelines: ")

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 2529, in wsgi_app
    response = self.full_dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
  File "/var/lang/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambda_service/local_lambda_invoke_service.py", line 169, in _invoke_request_handler
    self.lambda_runner.invoke(function_name, request_data, stdout=stdout_stream_writer, stderr=self.stderr)
  File "/var/lang/lib/python3.9/site-packages/samcli/commands/local/lib/local_lambda.py", line 144, in invoke
    self.local_runtime.invoke(
  File "/var/lang/lib/python3.9/site-packages/samcli/lib/telemetry/metric.py", line 324, in wrapped_func
    return_value = func(*args, **kwargs)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 189, in invoke
    container = self.create(function_config, debug_context, container_host, container_host_interface)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/lambdafn/runtime.py", line 85, in create
    container = LambdaContainer(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 94, in __init__
    image = LambdaContainer._get_image(
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_container.py", line 237, in _get_image
    return lambda_image.build(runtime, packagetype, image, layers, architecture, function_name=function_name)
  File "/var/lang/lib/python3.9/site-packages/samcli/local/docker/lambda_image.py", line 213, in build
    raise DockerDistributionAPIError("Unknown API error received from docker") from e
samcli.commands.local.cli_common.user_exceptions.DockerDistributionAPIError: Unknown API error received from docker
2023-06-21 12:39:09 127.0.0.1 - - [21/Jun/2023 12:39:09] "POST /2015-03-31/functions/TypeFunction/invocations HTTP/1.1" 500 -
../../../../../../../tmp/hook/handler_pre_update.py::contract_pre_update_failed FAILED [ 71%]
../../../../../../../tmp/hook/handler_pre_update.py::contract_pre_update_failed_unsupported_target SKIPPED [ 85%]
../../../../../../../tmp/resource/handler_misc.py::contract_check_asserts_work PASSED [100%]

=================================== FAILURES ===================================
_________________________ contract_pre_create_success __________________________
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/handler_pre_create.py:19: in contract_pre_create_success
    test_hook_handlers_success(hook_client, INVOCATION_POINT)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:74: in test_hook_handlers_success
    test_hook_success(hook_client, invocation_point, target, target_model)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:32: in test_hook_success
    _status, response, _error_code = hook_client.call_and_assert(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:479: in call_and_assert
    self.assert_success(status, response, target)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:184: in assert_success
    assert status == HookStatus.SUCCESS, f"status should be SUCCESS ({target})"
E   AssertionError: status should be SUCCESS (AWS::S3::Bucket)
__________________________ contract_pre_create_failed __________________________
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/handler_pre_create.py:24: in contract_pre_create_failed
    test_hook_handlers_failed(hook_client, INVOCATION_POINT)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:83: in test_hook_handlers_failed
    test_hook_failed(hook_client, invocation_point, target, target_model)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:55: in test_hook_failed
    _status, response, error_code = hook_client.call_and_assert(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:477: in call_and_assert
    status, response = self.call(invocation_point, target, target_model, **kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:500: in call
    response = self._call(request)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:450: in _call
    result = self._client.invoke(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:530: in _api_call
    return self._make_api_call(operation_name, kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:964: in _make_api_call
    raise error_class(parsed_response, operation_name)
E   botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
_________________________ contract_pre_update_success __________________________
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/handler_pre_update.py:19: in contract_pre_update_success
    test_hook_handlers_success(hook_client, INVOCATION_POINT)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:70: in test_hook_handlers_success
    test_update_hook_success(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:47: in test_update_hook_success
    _status, response, _error_code = hook_client.call_and_assert(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:477: in call_and_assert
    status, response = self.call(invocation_point, target, target_model, **kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:500: in call
    response = self._call(request)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:450: in _call
    result = self._client.invoke(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:530: in _api_call
    return self._make_api_call(operation_name, kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:964: in _make_api_call
    raise error_class(parsed_response, operation_name)
E   botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
__________________________ contract_pre_update_failed __________________________
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/handler_pre_update.py:24: in contract_pre_update_failed
    test_hook_handlers_failed(hook_client, INVOCATION_POINT)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:83: in test_hook_handlers_failed
    test_hook_failed(hook_client, invocation_point, target, target_model)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/suite/hook/hook_handler_commons.py:55: in test_hook_failed
    _status, response, error_code = hook_client.call_and_assert(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:477: in call_and_assert
    status, response = self.call(invocation_point, target, target_model, **kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:500: in call
    response = self._call(request)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/rpdk/core/contract/hook_client.py:450: in _call
    result = self._client.invoke(
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:530: in _api_call
    return self._make_api_call(operation_name, kwargs)
/root/.local/share/virtualenvs/s3-block-public-access-yxZjV0V7/lib/python3.9/site-packages/botocore/client.py:964: in _make_api_call
    raise error_class(parsed_response, operation_name)
E   botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
=========================== short test summary info ============================
FAILED ../../../../../../../tmp/hook/handler_pre_create.py::contract_pre_create_success - AssertionError: status should be SUCCESS (AWS::S3::Bucket)
FAILED ../../../../../../../tmp/hook/handler_pre_create.py::contract_pre_create_failed - botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
FAILED ../../../../../../../tmp/hook/handler_pre_update.py::contract_pre_update_success - botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
FAILED ../../../../../../../tmp/hook/handler_pre_update.py::contract_pre_update_failed - botocore.exceptions.ClientError: An error occurred (Service) when calling the Invoke operation (reached max retries: 0): ServiceException
============ 4 failed, 1 passed, 2 skipped, 17 deselected in 16.07s ============
One or more contract tests failed
sam log------>
START RequestId: 4320bb4a-b3b7-469b-b419-2eef21c0edbe Version: $LATEST
[DEBUG] 2023-06-21T12:38:58.601Z    4320bb4a-b3b7-469b-b419-2eef21c0edbe    Hook context:
[DEBUG] 2023-06-21T12:38:58.601Z    4320bb4a-b3b7-469b-b419-2eef21c0edbe    HookContext(awsAccountId='467440188625', stackId='27805d43-cc4d-4620-b6f3-deafb44dac87', hookTypeName=‘[REDACTED]::S3BlockPublicAccess::Hook', hookTypeVersion='00000001', invocationPoint=<HookInvocationPoint.CREATE_PRE_PROVISION: 'CREATE_PRE_PROVISION'>, targetName='AWS::S3::Bucket', targetType='RESOURCE', targetLogicalId='27805d43-cc4d-4620-b6f3-deafb44dac87', targetModel={'resourceProperties': {'PublicAccessBlockConfiguration': {'BlockPublicAcls': 'true', 'BlockPublicPolicy': 'true', 'IgnorePublicAcls': 'true', 'RestrictPublicBuckets': 'true'}}}, changeSetId=None)
END RequestId: 4320bb4a-b3b7-469b-b419-2eef21c0edbe
REPORT RequestId: 4320bb4a-b3b7-469b-b419-2eef21c0edbe  Init Duration: 0.12 ms  Duration: 325.54 ms Billed Duration: 326 ms Memory Size: 256 MB Max Memory Used: 256 MB 
sam log2------>

Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.

Expected result:

PASSED function tests.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

Using public.ecr.aws/sam/build-python3.9:latest for Bitbucket pipeline base image, but have also tried base python image.

{
  "version": "1.87.0",
  "system": {
    "python": "3.9.16",
    "os": "Linux-5.15.0-1036-aws-x86_64-with-glibc2.26"
  },
  "additional_dependencies": {
    "docker_engine": "20.10.24",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

[sriram-mv]

Looking at the 403 Error, there does not seem to be an issue in communicating with docker, but something with the docker setup itself.

Have you already tried : https://stackoverflow.com/questions/73882715/bitbucket-pipelines-authorization-denied-by-plugin-pipelines

[seanmyath]

Thanks for reply @sriram-mv

Just tried it, added - export DOCKER_BUILDKIT=0 to my pipeline before running sam local command. This unfortunately did not fix the issue.

Also tried adding - export PATH=/usr/bin:$PATH to my bitbucket pipeline. Did not fix, still getting same output with 403 error sadly.

I was looking through the source files of sam-cli local and I can't see anything that would violate Bitbucket's restricted commands clearly - the volumes seem fine as they use absolute value for directory etc.:

Full list of restricted commands
The security of your data is really important to us, especially when you are trusting it to the cloud. To keep everybody safe we've restricted the following:

For docker container run/docker run we don't allow:

--cap-add

--device

--ipc

--mount

--pid

--privileged

--security-opt

--userns

--uts

--volume, -v (other than /opt/atlassian/bitbucketci/agent/build/.* or /opt/atlassian/pipelines/agent/build/.*)

For docker container update/docker update we don't allow:

--devices

For docker container exec/docker exec we don't allow:

--privileged

For docker image build / docker build we don't allow:

--security-opt

[sriram-mv]

why are mount's not allowed 🤔 ? sam local invoke requires mounts. I need to double check for sam local start-lambda