4

I am trying to enable aws-xray for all lambda functions the following way:

serverless.yml

provider:
  tracing:
    lambda: true
    apiGateway: true

  name: aws
  runtime: nodejs8.10

  stage: ${opt:stage, 'dev'}
  region: ${opt:region, 'ca-central-1'}

service.ts

import * as AWS from 'aws-sdk'
import * as AWSXRay from 'aws-xray-sdk'
const XAWS = AWSXRay.captureAWS(AWS)
const docClient: DocumentClient = new XAWS.DynamoDB.DocumentClient()
const s3 = new XAWS.S3({signatureVersion: 'v4'})

after sls deploy I get the following error:

An error occurred: <some_lambda funcion> - The provided execution role does not have permissions to call PutTraceSegments on XRAY (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 364243f8-8847-48ef-87ad-75da2537e7f7).

I am not sure what the problem is. I have also tried deploying with:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - "xray:PutTraceSegments"
        - "xray:PutTelemetryRecords"
      Resource:
        - "*"

still the same issue.

I would greatly appreciate any help as I have no idea why this is an issue especially since I have another project with tracing enabled the exact same way with no issue!

package.json:

{
  "name": "mini-twitter",
  "version": "1.0.0",
  "description": "Serverless Mini-Twitter app",
  "dependencies": {
    "aws-xray-sdk": "^2.2.0",
    "source-map-support": "^0.5.11",
  },
  "devDependencies": {
    "@types/aws-lambda": "^8.10.17",
    "@types/node": "^10.14.4",
    "aws-sdk": "^2.433.0",
    "serverless-iam-roles-per-function": "^1.0.4",
    "serverless-webpack": "^5.2.0",
    "ts-loader": "^5.3.3",
    "typescript": "^3.4.1",
  }
}
Sal B
  • 93
  • 1
  • 8

3 Answers3

3

You need install the plugin:

Like the comment of Gareth McCumskey(Thanks!)

Just use:

serverless plugin install --name serverless-plugin-tracing

Or do it manually:

npm install --save-dev serverless-plugin-tracing

And enable it on your serverless.yml:

plugins:
  - serverless-plugin-tracing

Now your file looks like this:

provider:
  name: aws
  stage: test
  tracing: true # enable tracing
  iamRoleStatements:
    - Effect: "Allow" # xray permissions (required)
      Action:
        - "xray:PutTraceSegments"
        - "xray:PutTelemetryRecords"
      Resource:
        - "*"

plugins:
  - serverless-plugin-tracing

More information: https://serverless.com/plugins/serverless-plugin-tracing/

Claudio Acioli
  • 319
  • 1
  • 7
1

If the permission

      - Effect: Allow
        Action:
          - "xray:PutTraceSegments"
          - "xray:PutTelemetryRecords"
        Resource:
          - "*"

which you added was not globally then you should also make sure the function which you mentioned as <some_lambda funcion> in your lambda here should have the permissions too. ie if you are using a plugin like serverless-iam-roles-per-function This worked for my case however I don't still get the exact cause of the problem since others work without it.

harisu
  • 1,376
  • 8
  • 17
0

it seems like the sls deploy command isn't adding the X-Ray permissions to the IAM role. Have you tried manually adding it in?

Go to the AWS Console, navigate to IAM, find the role that corresponds to the deployment, and attach the AWSXrayWriteOnlyAccess policy to the role and see if it works.

Chan Chiem Jeffery Saeteurn
  • 86
  • 2
  • 6