https://serverless-stack.com/ logo
Join Slack
Powered by
Hi, i am running serverless offline as well as onl...
# help
a
Hi, i am running serverless offline as well as online to run 2 lambda functions using Bolt JS. One Lambda calls the other. When i run sls ofline, i get this URL to use to invoke my backend Lambda function from the code of the frontend L function: Offline [http for lambda] listening on http://localhost:3002 > this works fine locally. When i deploy to AWS, i use the endpoint give to me by AWS API Trigger for my backend L function, and i get this error: “InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. I’ve added every possible permission to both functions, doesnt help. I can invoke the function from my AWS CLI like this: aws lambda invoke --function-name serverless-function-dev-backend --invocation-type Event --payload ‘{ “key”: “value” }’ response.json > this works as well. But the deplyed code fails with the mentioned error. Any help is greatlyh appreciated
When i say Bolt JS i mean the Slack Bolt JS SDK
f
Hi @Andy Averbuch, is the API authorized using IAM?
a
No, it has no auth set up
Should i explicitly set up IAM auth for the backend function? Shouldn’t it work with auth=none?
m
Hi @Andy Averbuch, Is your issue resolved? I feel this is somehow related to the AWSv4 signature. can you clarify a few things: • If resolve, how? • Is this error from API Gateway or Lambda. (check if lambda was triggered) • If this is public then please share the API Gateway URL. • The entire stack trace from API Gateway. To answer your question AWS IAM might not be the cause of your issue.
a
Hi @Mr.9715 - thanks for getting back to me, I’ll post everything in about an hour
Here is the Error form the AWS logs: “errorType”: “Runtime.UnhandledPromiseRejection”, “errorMessage”: “InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “, “reason”: { “errorType”: “InvalidSignatureException”, “errorMessage”: “Credential should be scoped to correct service: ‘execute-api’. “, “code”: “InvalidSignatureException”, “message”: “Credential should be scoped to correct service: ‘execute-api’. “, “time”: “2021-06-01T052203.918Z”, “requestId”: “fbf9bbec-e477-4ca4-a74e-2d7d8b4af3df”, “statusCode”: 403, “retryable”: false, “retryDelay”: 53.302005982088495, “stack”: [ “InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “, ” at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js5227)“, ” at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js558)“, ” at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js10620)“, ” at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js7810)“, ” at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js68814)“, ” at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js2210)“, ” at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js1412)“, ” at /var/runtime/node_modules/aws-sdk/lib/state_machine.js2610", ” at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js389)“, ” at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js69012)” ] }, “promise”: {}, “stack”: [ “Runtime.UnhandledPromiseRejection: InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “, ” at process.<anonymous> (/var/runtime/index.js3515)“, ” at process.emit (events.js31420)“, ” at process.EventEmitter.emit (domain.js48312)“, ” at processPromiseRejections (internal/process/promises.js20933)“, ” at processTicksAndRejections (internal/process/task_queues.js9832)” ] } 2021-06-01T052203.924Z 4810a08f-c0e6-478f-8d99-580129b5696f ERROR Unhandled Promise Rejection {“errorType”“Runtime.UnhandledPromiseRejection”,“errorMessage”“InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “,”reason”{“errorType”“InvalidSignatureException”,“errorMessage”:“Credential should be scoped to correct service: ‘execute-api’. “,”code”“InvalidSignatureException”,“message”“Credential should be scoped to correct service: ‘execute-api’. “,”time”“2021 06 01T052203.918Z”,“requestId”“fbf9bbec-e477-4ca4-a74e-2d7d8b4af3df”,“statusCode”403,“retryable”false,“retryDelay”53.302005982088495,“stack”[“InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “,” at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js5227)“,” at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js558)“,” at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js10620)“,” at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js7810)“,” at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js68814)“,” at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js2210)“,” at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js1412)“,” at /var/runtime/node_modules/aws-sdk/lib/state_machine.js2610",” at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js389)“,” at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js69012)“]},“promise”{},“stack”[“Runtime.UnhandledPromiseRejection: InvalidSignatureException: Credential should be scoped to correct service: ‘execute-api’. “,” at process.<anonymous> (/var/runtime/index.js3515)“,” at process.emit (events.js31420)“,” at process.EventEmitter.emit (domain.js48312)“,” at processPromiseRejections (internal/process/promises.js20933)“,” at processTicksAndRejections (internal/process/task_queues.js9832)“]}
m
Hi @Andy Averbuch, I looked this up, did not find anything relevant. Can you share the method that you are using in L1 frontend lambda to generate the URL for the backend lambda?
a
I just grabbed the URL from the api dashboard.
m
Okay, maybe I got the issue. You might be missing a trust relationship. Can you check the trust relationship of backend lambda and allow the frontend to access it. Try to do this manually from IAM role of backend Lambda
Also, I found this blog, Can you try it?, I will also do the same on my end.
a
Ok, let me see
I have a role on both finctions which contains an Inline policy that contains this:
{ “Action”: [ “lambda:InvokeFunction”, “lambda:InvokeAsync” ], “Resource”: “*”, “Effect”: “Allow” },
m
Hey @Andy Averbuch, you said that you used API from dashboard to trigger the lambda from another. In case of which your L1 will also need permission to call API Gateway. Can you try that?
a
HI, yeam i just ran across this article:
is this the Trust Relationship permission you mean?
m
Honestly, I am not really an IAM expert. But policy grants access to a resource. whereas Trust allows the trusted service (lambda in your case), to call another service (API gateway). But, from a different perspective, it's just an HTTP request from one lambda to another. It shouldn't require all that hassle. Can you try to call your lambda directly without API gateway involved? (Just like in the blog above)
a
I see, i’ve tried doing tht before and i was getting a “not found” error - i then thought that the only way to call is through an API - let me revert to the direct call and see what errors i get
Great news! That worked! So i simply removed the “endpoint” parameter in the lambda init code and it works!
so i was under the misunderstanding that to call each other, Lambdas HAVE to go through the API Gateway,
Thanks for your help!
Open in Slack
PreviousNext
Powered by