search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.47k stars 1.16k forks source link

Bug: Unable to test lambda authorizer locally #5976

Closed therougeb closed 8 months ago

therougeb commented 10 months ago

Description:

While testing with sam cli, a local api, i'm unable to link lambda authorizer with api endpoints. Maybe I've missed something or i'm doing it wrong

Steps to reproduce:

Transform: AWS::Serverless-2016-10-31    

Globals:
    Function:
        Runtime: python3.11
        Environment:
            Variables:
                ENV: !Ref Environment
Parameters:
    Environment:
        Type: String
        Default: dev
        AllowedValues:
            - production
            - staging
            - dev
    CookieDomain:
        Type: String
        Default: localhost

Resources:
    User:
        Type: AWS::Serverless::Function
        Properties:
            FunctionName: !Sub User-${Environment}
            CodeUri: src/auth/me
            Handler: main.run
            Events:
                HttpRequest:
                    Type: Api
                    Properties:
                        Auth:
                            Authorizer: CookieAuthorizer
                        RestApiId: !Ref AsyncoreAuthentication
                        Method: GET
                        Path: /me
            Description: >
                Get authenticated user
    AuthenticateCookie:
        Type: AWS::Serverless::Function
        Properties:
            FunctionName: !Sub AuthenticateCookie-${Environment}
            CodeUri: src/auth/cookies
            Description: >
                Authorize http request with cookies
            Handler: main.run
    AsyncoreAuthentication:
        Type: AWS::Serverless::Api
        Properties:
            Description: >
                Authentication API Gateway
            Name: !Sub AsyncoreAuthentication-${Environment}
            DisableExecuteApiEndpoint: true
            StageName: !Ref Environment
            EndpointConfiguration: EDGE
            Auth:
                Authorizers:
                    CookieAuthorizer:
                        Identity:
                            Headers:
                                - Cookie
                        FunctionArn: !GetAtt
                              - AuthenticateCookie
                              - Arn
                        FunctionPayloadType: REQUEST

Observed result:

with template provided:

➜  Micro-API git:(main) ✗ sam local start-api --parameter-overrides Environment=dev,CookieDomain=localhost --port 5000
Unable to parse the Lambda ARN for Authorizer 'CookieAuthorizer', skipping
Unable to parse the Lambda ARN for Authorizer 'CookieAuthorizer', skipping
Linking authorizer skipped for route '/me', authorizer 'CookieAuthorizer' is unsupported or not found
Linking authorizer skipped for route '/home/{proxy+}', authorizer 'None' is unsupported or not found

if I update template and put

FunctionArn: !GetAtt
   - AuthenticateCookie-dev
   - Arn

I am able to link authorizer with lambda on sam local start-api but i get this when invoking endpoint:

AuthenticateCookie-dev not found. Possible options in your template: ['Authenticate', 'User', 'AuthenticateCookie', 'Home']
Failed to find a Function to invoke a Lambda authorizer, verify that this Function is defined and exists locally in the template.
Lambda authorizer failed to invoke successfully: Unable to find a Function with name 'AuthenticateCookie-dev'

Expected result:

I expect, even if aws can't guarantee 100% fidelity between deployed / local env at least correct linking on local env between resources / authorizer.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: Macos Ventura 13.5.2 (M1 Pro)
  2. sam --version: SAM CLI, version 1.97.0
{
  "version": "1.97.0",
  "system": {
    "python": "3.8.13",
    "os": "macOS-13.5.2-arm64-arm-64bit"
  },
  "additional_dependencies": {
    "docker_engine": "24.0.6",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

Add --debug flag to command you are running

jfuss commented 10 months ago

@therougeb I believe your 

FunctionArn: !GetAtt
   - AuthenticateCookie-dev
   - Arn

is incorrect. CloudFormation intrinsic functions take a LogicalId no the Function Name. If you look at the error carefully, you can see SAM CLI is reporting it did not find AuthenticateCookie-dev but did find AuthenticateCookie. This is because SAM CLI looks at the LogicalIds (just like CloudFormation).

Update that and give it another try.

As a side note, naming is usually an anti-pattern in CloudFormation. There are cases you have to but general, you should let CloudFormation decide the name for you. This will be a combination of LogicalId + StackName + hash. This simplifies your template and makes it easier to deploy. You won't run into naming conflicts this way at all, since StackNames need to be unique within the account. If you have a good reason to name, go for it. I have seen this hurt to many customers over time, so wanted to bring it up in case you weren't aware you can omit.

hnnasit commented 9 months ago

Hi @therougeb, does @jfuss's comment above help resolve the issue?

moelasmar commented 8 months ago

Closing due to inactivity, please create another issue if you still have the same problem, or any other problems.

github-actions[bot] commented 8 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.