I have an API Gateway resource that runs a lambda function. I'm calling the API Gateway resource using the AWS Generated SDK from my Api Gateway.
Here's the portion of the stacktrace from my client that seems relevant:
Caused by: com.amazonaws.mobileconnectors.apigateway.ApiClientException: {"message": "Internal server error"} (Service: DevnetcountableClient; Status Code: 500; Error Code: null; Request ID: 348e8f98-6f55-11e6-97f6-098c2caf220f)
at com.amazonaws.mobileconnectors.apigateway.ApiClientHandler.handleResponse(ApiClientHandler.java:255) at com.amazonaws.mobileconnectors.apigateway.ApiClientHandler.invoke(ApiClientHandler.java:88)
at java.lang.reflect.Proxy.invoke(Proxy.java:393)
at $Proxy1.accountCreatePost(Unknown Source)
Now looking at the AWS console, within my Api Gateway Dashboard I see the requests coming in and resulting in "AWS/ApiGateway 5XXError". However there are 0 logs (that I can find). My lambda function does NOT appear to be called, and no lambda logs are shown.
Right now this is what my lambda looks like:
module.exports.createAccount = function(event, context, cb) {
console.log('createAccount');
console.log(event);
console.log(context);
console.log(cb);
cb(null, {status: 'SUCCESS', message: 'I ran!'});
};
What can I do to debug this?
Edit: Okay here is the cloudformation script that's throwing everything together.
{
"AWSTemplateFormatVersion":"2010-09-09",
"Description":"The AWS CloudFormation template for this Serverless application",
"Resources":{
"ServerlessDeploymentBucket":{
"Type":"AWS::S3::Bucket"
},
"IamRoleLambda":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"lambda.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/"
}
},
"IamPolicyLambda":{
"Type":"AWS::IAM::Policy",
"Properties":{
"PolicyName":"dev-coolsoftware-lambda",
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"arn:aws:logs:us-west-2:*:*"
}
]
},
"Roles":[
{
"Ref":"IamRoleLambda"
}
]
}
},
"createAccount":{
"Type":"AWS::Lambda::Function",
"Properties":{
"Code":{
"S3Bucket":{
"Ref":"ServerlessDeploymentBucket"
},
"S3Key":"coolsoftware-1472853507538.zip"
},
"FunctionName":"coolsoftware-dev-createAccount",
"Handler":"handler.createAccount",
"MemorySize":128,
"Role":{
"Fn::GetAtt":[
"IamRoleLambda",
"Arn"
]
},
"Runtime":"nodejs4.3",
"Timeout":30
}
},
"RestApiApigEvent":{
"Type":"AWS::ApiGateway::RestApi",
"Properties":{
"Name":"dev-coolsoftware"
}
},
"ResourceApigEventCreateaccountAccount":{
"Type":"AWS::ApiGateway::Resource",
"Properties":{
"ParentId":{
"Fn::GetAtt":[
"RestApiApigEvent",
"RootResourceId"
]
},
"PathPart":"account",
"RestApiId":{
"Ref":"RestApiApigEvent"
}
}
},
"PutMethodApigEventCreateaccountAccount":{
"Type":"AWS::ApiGateway::Method",
"Properties":{
"AuthorizationType":"AWS_IAM",
"HttpMethod":"PUT",
"MethodResponses":[
{
"ResponseModels":{
"application/json":"AccountCreationResponseModel"
},
"ResponseParameters":{
},
"StatusCode":"200"
}
],
"RequestParameters":{
},
"Integration":{
"IntegrationHttpMethod":"POST",
"Type":"AWS",
"Uri":{
"Fn::Join":[
"",
[
"arn:aws:apigateway:",
{
"Ref":"AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Fn::GetAtt":[
"createAccount",
"Arn"
]
},
"/invocations"
]
]
},
"RequestTemplates":{
"application/json":"\n #define( $loop )\n {\n #foreach($key in $map.keySet())\n \"$util.escapeJavaScript($key)\":\n \"$util.escapeJavaScript($map.get($key))\"\n #if( $foreach.hasNext ) , #end\n #end\n }\n #end\n {\n \"body\": $input.json(\"$\"),\n \"method\": \"$context.httpMethod\",\n \"principalId\": \"$context.authorizer.principalId\",\n \"stage\": \"$context.stage\",\n\n #set( $map = $input.params().header )\n \"headers\": $loop,\n\n #set( $map = $input.params().querystring )\n \"query\": $loop,\n\n #set( $map = $input.params().path )\n \"path\": $loop,\n\n #set( $map = $context.identity )\n \"identity\": $loop,\n\n #set( $map = $stageVariables )\n \"stageVariables\": $loop\n }\n "
},
"IntegrationResponses":[
{
"StatusCode":"200",
"ResponseParameters":{
},
"ResponseTemplates":{
"application/json":""
}
}
]
},
"ResourceId":{
"Ref":"ResourceApigEventCreateaccountAccount"
},
"RestApiId":{
"Ref":"RestApiApigEvent"
},
"RequestModels":{
"application/json":"AccountCreationRequestModel"
}
}
},
"DeploymentApigEvent1472853508283":{
"Type":"AWS::ApiGateway::Deployment",
"Properties":{
"RestApiId":{
"Ref":"RestApiApigEvent"
},
"StageName":"dev"
},
"DependsOn":[
"PutMethodApigEventCreateaccountAccount"
]
},
"createAccountApigPermission":{
"Type":"AWS::Lambda::Permission",
"Properties":{
"FunctionName":{
"Fn::GetAtt":[
"createAccount",
"Arn"
]
},
"Action":"lambda:InvokeFunction",
"Principal":"apigateway.amazonaws.com"
}
},
"DynamoDBTableAccounts":{
"Type":"AWS::DynamoDB::Table",
"DeletionPolicy":"Retain",
"Properties":{
"TableName":"dev-coolsoftware-accounts",
"ProvisionedThroughput":{
"ReadCapacityUnits":1,
"WriteCapacityUnits":1
},
"AttributeDefinitions":[
{
"AttributeName":"accountid",
"AttributeType":"S"
}
],
"KeySchema":[
{
"AttributeName":"accountid",
"KeyType":"HASH"
}
]
}
},
"AccountCreationRequestModel":{
"Type":"AWS::ApiGateway::Model",
"Properties":{
"RestApiId":{
"Ref":"RestApiApigEvent"
},
"ContentType":"application/json",
"Description":"Schema for AccountCreationRequestModel",
"Name":"AccountCreationRequestModel",
"Schema":{
"$schema":"http://json-schema.org/draft-04/schema#",
"title":"AccountCreationRequestModel",
"type":"object",
"properties":{
"publickey":{
"type":"string"
},
"deviceid":{
"type":"string"
}
}
}
}
},
"AccountCreationResponseModel":{
"Type":"AWS::ApiGateway::Model",
"Properties":{
"RestApiId":{
"Ref":"RestApiApigEvent"
},
"ContentType":"application/json",
"Description":"Schema for AccountCreationResponseModel",
"Name":"AccountCreationResponseModel",
"Schema":{
"$schema":"http://json-schema.org/draft-04/schema#",
"title":"AccountCreationResponseModel",
"type":"object",
"properties":{
"status":{
"type":"string"
},
"message":{
"type":"string"
}
}
}
}
},
"FailureResponseModel":{
"Type":"AWS::ApiGateway::Model",
"Properties":{
"RestApiId":{
"Ref":"RestApiApigEvent"
},
"ContentType":"application/json",
"Description":"Schema for FailureResponseModel",
"Name":"FailureResponseModel",
"Schema":{
"$schema":"http://json-schema.org/draft-04/schema#",
"title":"FailureResponseModel",
"type":"object",
"properties":{
"status":{
"type":"string"
},
"message":{
"type":"string"
}
}
}
}
}
},
"Outputs":{
"ServerlessDeploymentBucketName":{
"Value":{
"Ref":"ServerlessDeploymentBucket"
}
},
"Function1Arn":{
"Description":"Lambda function info",
"Value":{
"Fn::GetAtt":[
"createAccount",
"Arn"
]
}
},
"ServiceEndpoint":{
"Description":"URL of the service endpoint",
"Value":{
"Fn::Join":[
"",
[
"https://",
{
"Ref":"RestApiApigEvent"
},
".execute-api.us-west-2.amazonaws.com/dev"
]
]
}
}
}
}
Edit 2: When I test the endpoint using API Gateway's test feature in the AWS Console everything works great :/
Edit 3: Updated the cloudformation script again--still not working.
How to Debug:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
}
With the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
In API Gateway console for your API's region: Go to settings >>> Enter in the ARN of the API Gateway-CloudWatch logging role >>> click 'Save'
Go to the stage of your API. Under 'CloudWatch Settings', select 'Enable CloudWatch Logs'. Set 'Log level' to 'INFO'. Select 'Log full requests/responses data'.
Redeploy your API to that stage: Go to the 'Resources' tab for your API. Select Actions >>> Deploy API.
Make requests, wait a few minutes, and see what the logs say (in CloudWatch).
The Error:
The Cause:
Once I enabled "Invoke with caller credentials" using Credentials: 'arn:aws:iam::*:user/*'
, the caller's IAM role didn't have access to invoke the lambda function. This resulted in the 500 error. Once I gave the caller's IAM role access, everything started to work properly.