Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sam local start-api fails with "The security token included in the request is invalid" #3875

Closed
teuber789 opened this issue May 10, 2022 · 5 comments
Closed

sam local start-api fails with "The security token included in the request is invalid" #3875

teuber789 opened this issue May 10, 2022 · 5 comments
Labels
area/local/start-api sam local start-api command blocked/more-info-needed More info is needed from the requester. If no response in 14 days, it will become stale.

Comments

@teuber789
Copy link

Description:

I have a small API which uses a KMS key to encrypt and decrypt strings. The API works exactly as expected when deployed to AWS, but fails when run locally with "The security token included in the request is invalid".

There are several bugs that have variations on this theme, but all of them are at least six months old. I'm opening this one to address it in newer versions of SAM / the nodejs Docker image.

Steps to reproduce:

  • Download and unzip the encryption-test.zip file
  • Follow the instructions in the "Deploying" section of the readme to deploy the API to AWS
  • Follow the instructions in the "Running locally" section of the readme to run the API locally
  • Run the following two curl commands:
$ curl \
    --location \
    --request POST \
    'https://<your-api-id>.execute-api.<region>.amazonaws.com/stage/encrypt' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "data": "hello"
    }'

and

curl \
    --location \
    --request POST \
    'http://127.0.0.1:3000/encrypt' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "data": "hello"
    }'

The first one (the one that points to AWS) will succeed, but the second one will fail.

Observed result:

sam local start-api --env-vars env.json --debug
2022-05-10 15:59:00,540 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2022-05-10 15:59:00,540 | Using config file: samconfig.toml, config environment: default
2022-05-10 15:59:00,540 | Expand command line arguments to:
2022-05-10 15:59:00,540 | --template_file=/Users/<REDACTED>/code/encryption-test/.aws-sam/build/template.yaml --env_vars=env.json --host=127.0.0.1 --port=3000 --static_dir=public --layer_cache_basedir=/Users/<REDACTED>/.aws-sam/layers-pkg --container_host=localhost --container_host_interface=127.0.0.1 
2022-05-10 15:59:00,640 | local start-api command is called
2022-05-10 15:59:00,672 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,693 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,693 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,693 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,694 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,694 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,694 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,695 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,696 | 21 stacks found in the template
2022-05-10 15:59:00,696 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,710 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,711 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,711 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,711 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,711 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,711 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,711 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,711 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,712 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,712 | 21 resources found in the stack 
2022-05-10 15:59:00,712 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,726 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,727 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,727 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,727 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,728 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,728 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,743 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,744 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,744 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,744 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,745 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,745 | --base-dir is not presented, adjusting uri RuntimeDependenciesLayer relative to /Users/<REDACTED>/code/encryption-test/.aws-sam/build/template.yaml
2022-05-10 15:59:00,745 | Found Serverless function with name='DecryptFunction' and CodeUri='DecryptFunction'
2022-05-10 15:59:00,745 | --base-dir is not presented, adjusting uri DecryptFunction relative to /Users/<REDACTED>/code/encryption-test/.aws-sam/build/template.yaml
2022-05-10 15:59:00,746 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,759 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,760 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,760 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,760 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,761 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,762 | --base-dir is not presented, adjusting uri RuntimeDependenciesLayer relative to /Users/<REDACTED>/code/encryption-test/.aws-sam/build/template.yaml
2022-05-10 15:59:00,762 | Found Serverless function with name='EncryptFunction' and CodeUri='EncryptFunction'
2022-05-10 15:59:00,762 | --base-dir is not presented, adjusting uri EncryptFunction relative to /Users/<REDACTED>/code/encryption-test/.aws-sam/build/template.yaml
2022-05-10 15:59:00,769 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,785 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,786 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,786 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,786 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,787 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,788 | Collected default values for parameters: {'PubSubnet1CidrBlock': '10.10.1.0/24', 'PrivateSubnet1CidrBlock': '10.10.2.0/24', 'StageName': 'stage', 'VpcCidrBlock': '10.10.0.0/16'}
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource Vpc, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource PubSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource InternetGateway, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource InternetGatewayAttachment, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource RouteTable, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource PublicInternetRoute, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource PubSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,801 | There is no customer defined id or cdk path defined for resource PrivateSubnet1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource NatGateway1EIP, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource NatGateway1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource PrivateRouteTable1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource DefaultPrivateRoute1, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource PrivateSubnet1RouteTableAssociation, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource RestApiLambdasSg, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource RestApi, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource RestApiFunctionRole, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource EncryptionKey, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | Sam customer defined id is more priority than other IDs. Customer defined id for resource DecryptFunction is DecryptFunction
2022-05-10 15:59:00,802 | Sam customer defined id is more priority than other IDs. Customer defined id for resource EncryptFunction is EncryptFunction
2022-05-10 15:59:00,802 | There is no customer defined id or cdk path defined for resource EncryptFunctionLogGroup, so we will use the resource logical id as the resource id
2022-05-10 15:59:00,802 | Sam customer defined id is more priority than other IDs. Customer defined id for resource RuntimeDependenciesLayer is RuntimeDependenciesLayer
2022-05-10 15:59:00,803 | Unable to resolve property AllocationId: OrderedDict([('Fn::GetAtt', ['NatGateway1EIP', 'AllocationId'])]). Leaving as is.
2022-05-10 15:59:00,803 | Detected Inline Swagger definition
2022-05-10 15:59:00,803 | Lambda function integration not found in Swagger document at path='/encrypt' method='post'
2022-05-10 15:59:00,803 | Lambda function integration not found in Swagger document at path='/decrypt' method='post'
2022-05-10 15:59:00,803 | Found '0' APIs in resource 'RestApi'
2022-05-10 15:59:00,804 | Found '1' API Events in Serverless function with name 'DecryptFunction'
2022-05-10 15:59:00,804 | Found '1' API Events in Serverless function with name 'EncryptFunction'
2022-05-10 15:59:00,804 | Removed duplicates from '2' Explicit APIs and '0' Implicit APIs to produce '2' APIs
2022-05-10 15:59:00,804 | 2 APIs found in the template
2022-05-10 15:59:00,810 | Mounting DecryptFunction at http://127.0.0.1:3000/decrypt [POST]
2022-05-10 15:59:00,810 | Mounting EncryptFunction at http://127.0.0.1:3000/encrypt [POST]
2022-05-10 15:59:00,810 | You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions, changes will be reflected instantly/automatically. You only need to restart SAM CLI if you update your AWS SAM template
2022-05-10 15:59:00,810 | Localhost server is starting up. Multi-threading = True
2022-05-10 15:59:00  * Running on http://127.0.0.1:3000/ (Press CTRL+C to quit)
2022-05-10 15:59:21,139 | Constructed String representation of Event to invoke Lambda. Event: {"body": "{\n        \"data\": \"hello\"\n    }", "headers": {"Accept": "*/*", "Content-Length": "31", "Content-Type": "application/json", "Host": "127.0.0.1:3000", "User-Agent": "curl/7.79.1", "X-Forwarded-Port": "3000", "X-Forwarded-Proto": "http"}, "httpMethod": "POST", "isBase64Encoded": false, "multiValueHeaders": {"Accept": ["*/*"], "Content-Length": ["31"], "Content-Type": ["application/json"], "Host": ["127.0.0.1:3000"], "User-Agent": ["curl/7.79.1"], "X-Forwarded-Port": ["3000"], "X-Forwarded-Proto": ["http"]}, "multiValueQueryStringParameters": null, "path": "/encrypt", "pathParameters": null, "queryStringParameters": null, "requestContext": {"accountId": "123456789012", "apiId": "1234567890", "domainName": "127.0.0.1:3000", "extendedRequestId": null, "httpMethod": "POST", "identity": {"accountId": null, "apiKey": null, "caller": null, "cognitoAuthenticationProvider": null, "cognitoAuthenticationType": null, "cognitoIdentityPoolId": null, "sourceIp": "127.0.0.1", "user": null, "userAgent": "Custom User Agent String", "userArn": null}, "path": "/encrypt", "protocol": "HTTP/1.1", "requestId": "b59d7f61-2b01-40f7-994f-8112d7826c68", "requestTime": "10/May/2022:19:59:00 +0000", "requestTimeEpoch": 1652212740, "resourceId": "123456", "resourcePath": "/encrypt", "stage": "stage"}, "resource": "/encrypt", "stageVariables": null, "version": "1.0"}
2022-05-10 15:59:21,139 | Found one Lambda function with name 'EncryptFunction'
2022-05-10 15:59:21,139 | Invoking dist/handlers/encrypt.handler (nodejs14.x)
2022-05-10 15:59:21,139 | Environment variables overrides data is standard format
2022-05-10 15:59:21,139 | Loading AWS credentials from session with profile 'None'
2022-05-10 15:59:21,156 | Resolving code path. Cwd=/Users/<REDACTED>/code/encryption-test/.aws-sam/build, CodeUri=/Users/<REDACTED>/code/encryption-test/.aws-sam/build/EncryptFunction
2022-05-10 15:59:21,156 | Resolved absolute path to code is /Users/<REDACTED>/code/encryption-test/.aws-sam/build/EncryptFunction
2022-05-10 15:59:21,156 | Code /Users/<REDACTED>/code/encryption-test/.aws-sam/build/EncryptFunction is not a zip/jar file
2022-05-10 15:59:21,156 | Code /Users/<REDACTED>/code/encryption-test/.aws-sam/build/RuntimeDependenciesLayer is not a zip/jar file
2022-05-10 15:59:21,156 | RuntimeDependenciesLayer is a local Layer in the template
2022-05-10 15:59:21,157 | Resolving code path. Cwd=/Users/<REDACTED>/code/encryption-test/.aws-sam/build, CodeUri=/Users/<REDACTED>/code/encryption-test/.aws-sam/build/RuntimeDependenciesLayer
Building image........................
2022-05-10 15:59:24,740 | Skip pulling image and use local one: samcli/lambda:nodejs14.x-x86_64-f88a901bbe51b578e9260ae49.

2022-05-10 15:59:24,740 | Mounting /Users/<REDACTED>/code/encryption-test/.aws-sam/build/EncryptFunction as /var/task:ro,delegated inside runtime container
2022-05-10 15:59:25,109 | Starting a timer for 100 seconds for function 'EncryptFunction'
START RequestId: c5583bab-d999-4005-a2ae-dbedaedaa09c Version: $LATEST
2022-05-10T19:59:25.856Z	c5583bab-d999-4005-a2ae-dbedaedaa09c	ERROR	UnrecognizedClientException: The security token include} retryDelay: 84.6510267486841a9-9f36-cd06e2612b08',es/aws-sdk/lib/sequential_executor.js:116:18) {
END RequestId: c5583bab-d999-4005-a2ae-dbedaedaa09c
REPORT RequestId: c5583bab-d999-4005-a2ae-dbedaedaa09c	Init Duration: 0.26 ms	Duration: 719.25 ms	Billed Duration: 720 ms	Memory Size: 1024 MB	Max Memory Used: 1024 MB	
2022-05-10 15:59:26,017 | Cleaning all decompressed code dirs
2022-05-10 15:59:26,017 | Unable to find Click Context for getting session_id.
2022-05-10 15:59:26 127.0.0.1 - - [10/May/2022 15:59:26] "POST /encrypt HTTP/1.1" 400 -

Expected result:

Making the curl call against sam local start-api should work the same as against API Gateway.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: macos Moterrey 12.3.1
  2. sam --version: SAM CLI, version 1.46.0
  3. AWS region: us-east-2

I'm running nodejs 14.x with image samcli/lambda:nodejs14.x-x86_64-f88a901bbe51b578e9260ae49.

Add --debug flag to command you are running
@teuber789
Copy link
Author

encryption-test.zip

@mndeveci
Copy link
Contributor

Thanks for raising this issue, but I wasn't able to re-produce with your example template. When I ran the curl commands against deployment in the cloud or for my local machine, I was able to decrypt or encrypt text without any issues.

When you run sam local commands, it will be using credentials on your local machine. For that reason, your user configured in your local machine should have access to use this KMS key, otherwise you will get an exception. After deploying your stack, you can run following AWS CLI commands to confirm that your local user have permission to decrypt or encrypt a text with that KMS key;

╭─ ~
╰─❯aws kms encrypt --plaintext $(echo "hello" | base64) --key-id {KMS Key ID}
╭─ ~
╰─❯ aws kms decrypt --ciphertext-blob {output from first command} --key-id {KMS Key ID}
╭─ ~
╰─❯ echo {output from second command} | base64 -d    
hello

If your local user permissions should stay as it is, then I would recommend using SAM Accelerate feature, which gives ability to develop your serverless application in the cloud.

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/accelerate.html
https://aws.amazon.com/blogs/compute/accelerating-serverless-development-with-aws-sam-accelerate/

@mndeveci mndeveci added blocked/more-info-needed More info is needed from the requester. If no response in 14 days, it will become stale. area/local/start-api sam local start-api command labels May 11, 2022
@teuber789
Copy link
Author

teuber789 commented May 11, 2022
edited
Loading

Thank you for this! I haven't tried that; I'll give it a try here shortly.

This brings up another related question. You'll see in the template that the lambda function obtains its IAM permissions from the RestApiFunctionRole, which has access to the encryption key. Why don't functions created locally using sam local start-api or sam local invoke assume this role as well? Why do they depend on the user's configured credentials when the template itself has already configuring them?

I ask because we have a lot of cases when the credentials used for development differ significantly from the ones the function will run in the cloud. I'd expect that the sam local would provide a development environment that behaves exactly like the cloud, just running locally. Otherwise, there will undoubtedly be scenarios where a function will work locally but fail in the cloud, or vice versa. This results in an inconsistent and sub-par local development experience.

@mndeveci
Copy link
Contributor

Thanks for your feedback.

That is the reason why we have implemented Accelerate features. It is not possible to test all the aspects of serverless functions on your local machine. As you mentioned, we can't assume the role that is used in the template with sam local commands. And also, we can't provide local emulations for all other services that AWS offers.

For that reason I would highly recommend giving Accelerate a try. If you have any questions or concern please feel free to comment under this issue #3264 or create a new one.

I will keep this one until I got your feedback to see if there are any issues with emulation image that we have.

@teuber789
Copy link
Author

Thanks for this!

I was able to get the sample to work using my local credentials. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/local/start-api sam local start-api command blocked/more-info-needed More info is needed from the requester. If no response in 14 days, it will become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mndeveci @teuber789