https://serverless-stack.com/ logo
Join Slack
Powered by
Hi <@U01JVDKASAC>, I successfully deployed my api ...
# help
a
Hi @Frank, I successfully deployed my api stack, and it returned 
ApiEndpoint: https://*****.execute-api.ap-****.<http://amazonaws.com/|amazonaws.com/>*prod*/
. However, when I was checking the lambda function API gateway triggers overview via console, the API endpoint became: 
https://*****.execute-api.ap-****.<http://amazonaws.com/|amazonaws.com/>*test-invoke-stage*/
. Also I got 403 response when accessing from browser:
Copy code
{
  "message": "User: arn:aws:sts::assumed-role/****  is not authorized to perform: execute-api:Invoke on resource:  ****/****/prod/**** "
}
Is this due to IAM policy issue? How can I make the lamdba function API gateway trigger path to be 
/prod/
 instead of 
test-invoke-stage
 ?
t
can you share how you define the api in your stack?
a
Yeah sure
Copy code
this.api = new sst.ApiGatewayV1Api(this, "api", {
    routes: {
        "GET   /some_path": {
            methodOptions: {
                authorizationType: AuthorizationType.IAM,
              },
            function: {
                handler: "src/some_function.main",
                environment: {
                    TABLE_NAME: table.tableName
                }
            },
        }
    },
    cors: true
    
});
this.api.attachPermissions([table]);

this.addOutputs({
    ApiEndpoint: this.api.url,
});
t
Does the iam user you're calling the API with have permission to invoke the api?
a
I think so. The iam user can successfully invoke the api that was built in the old way, this is the first time I try to use api stack.
t
This is creating a new API so the user likely doesn't have permissions to invoke it unless they were explicitly granted or that permissions are broad
I'm also not as familiar with the ApiGatewayV1Api and iam auth as @Frank is
a
So the api endpoint change (
/prod/
and 
/test-invoke-stage/
) can also be explained by permission issues?
t
I'm not sure where test-invoke-stage is coming from
Are you specifying that anywhere?
a
No, I don’t know where it is coming from either. I didn’t specify that anywhere in my code
I suppose if the endpoint path can be changed to 
/prod/
the 403 error will be gone as well.
t
That is strange, no idea where 
test-invoke
could be coming from. It's not anywhere in your codebase?
f
Hey @Aso Sun, the issue you are describing is very weird… can you share: • a screenshot of the deploy output with 
ApiEndpoint
• a screenshot of ur API Gateway console where you saw 
https://*****.execute-api.ap-****.<http://amazonaws.com/|amazonaws.com/>*test-invoke-stage*/
• a screenshot of the browser where you saw the error
Copy code
{
  "message": "User: arn:aws:sts::assumed-role/****  is not authorized to perform: execute-api:Invoke on resource:  ****/****/prod/**** "
}
• and finally the IAM permission of the identity pool authenticated user role permission
Feel free to DM me if any value is confidential.
a
Hi @Frank , I have sent you direct messages, could you please help me there?
f
For sure! Will take a look.
@Aso Sun, after some googling, I realized that 
test-invoke-stage
is the name of the built-in testing stage created by Api Gateway.
Have you enabled the Test Invoke feature by any chance for this API in the Api Gateway console?
a
No, I don’ think so. I created this API via SST, I didn’t touch any settings in Api Gateway console.
f
Hmm.. that’s weird. Can you try creating a new api and see if the same behavior persist?
a
Yes, still test-invoke-stage. But if I create API via serverless framework, there will be no such weird issue.
Open in Slack
PreviousNext
Powered by