https://serverless-stack.com/ logo
Join Slack
Powered by
I am trying to get My lambda running that connects...
# sst
m
I am trying to get My lambda running that connects Dynamodb to Opensearch in the SST Local Environment. However when I try to PUT to the Opensearch endpoint I get: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. In SST I have set up permissions with:
Copy code
consumers: {
    dynamodbstream: {
        srcPath: "services/dynamodbstream/",
        handler: "stream.handler",
        environment: {
            SEARCH_ENDPOINT: opensearch_domain.domainEndpoint,
        },
        permissions: [new iam.PolicyStatement({
            actions: ["es:*"],
            resources: [opensearch_domain.domainArn],
        })]
    }
}
And I can confirm in the AWS Console that the Permissions are set for the Lambda Role Is there something else that needs permission because of the Local Environment? After some further attempts, I have discovered that if I change the METHOD from post to put I get a different error message. I am not sure why post is causing the error message in question, but now I am getting: User: arnawssts:309833148800assumed-role/mike-local-chartflow-dyna-ChartflowDatadynamodbstr-P6L43N5FZMK/mike-local-chartflow-dyna-ChartflowDatadynamodbstr-dpL0R4lmGyGK is not authorized to perform: es:ESHttpPut Getting closer, but any help would be appreciated. Changing the resources to : ["*"], allowed it to work, but clearly not a best practice. Any ideas would be appreciated.
d
Sometimes when I get a signature message, its because of system clock drift. As in, I am running something locally, and my system clock is a little off from whatever AWS expects. This wouldn't explain if changing resources to * fixes it, though.
Not sure what OS and such to give further advice, but typically a restart solves it in all OS cases.
f
Thanks @Derek Kershner.
@Michael Robellard any luck with the issue?
m
So, I got it to work by changing the resources from the opensearch ARN to a *, Not sure what the issue is with the resources, I think the Post VS Put issue is solved.
Not the best from a security standpoint, but it is working for now
u
@Michael Robellard Hey I'm struggling with the same kind of problem, I did something like that
Copy code
table.addConsumers(this, {
    Consumer_0: {
      function: insertToESFn,
      consumerProps: {
        startingPosition: StartingPosition.LATEST,
      },
      permissions: [
        new iam.PolicyStatement({
          actions: ['dynamodb:*'],
          effect: iam.Effect.ALLOW,
          resources: ['*'],
        }),
        new iam.PolicyStatement({
          actions: ['es:*'],
          effect: iam.Effect.ALLOW,
          resources: ['*'],
        }),
      ],
    },
  });

const domain = new opensearch.Domain(this, 'Domain', {
  version: opensearch.EngineVersion.OPENSEARCH_1_0,
  domainName: `mydomain`,
  capacity: {
    dataNodes: 1,
    dataNodeInstanceType: 't3.small.search',
  },
  ebs: {
    volumeSize: 10,
  },
  useUnsignedBasicAuth: true,
  fineGrainedAccessControl: {
    masterUserName: 'xxxx',
    masterUserPassword: new SecretValue('xxxxxxxxxxxxxxxxx'),
  },

  removalPolicy: cdk.RemovalPolicy.DESTROY,
});
could you share how you create your opensearch and give permission to your lambda with cdk / sst ?
5 Views
Open in Slack
PreviousNext
Powered by