2

I have an C# AWS Lambda function created using AWS SAM. The function tries to get parameters from Systems Management using this code:

public async Task<string> GetConfiguration(string parameterName)
{
    var request = new GetParameterRequest
    {
        Name = $"/project-name/{parameterName}",
        WithDecryption = true
    };

    using (var client = new AmazonSimpleSystemsManagementClient(RegionEndpoint.EUWest1))
    {
        var response = await client.GetParameterAsync(request);
        return response.Parameter.Value;
    }
}

The SAM template specifies the function runs as an IAM user with ssm:GetParameter* permissions. When I deploy the function to AWS, this code works exactly as expected. If I hit run in Visual Studio, the API is also able to access the parameters.

However, when I run the code locally with: sam local start-api

I get this exception:

[Error] Amazon.Lambda.AspNetCoreServer.AbstractAspNetCoreFunction: Unknown error responding to request: AmazonSimpleSystemsManagementException: Amazon.SimpleSystemsManagement.AmazonSimpleSystemsManagementException: The security token included in the request is invalid ---> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type Amazon.Runtime.Internal.HttpErrorResponseException was thrown. at Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken) at Amazon.Runtime.Internal.HttpHandler1.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext) --- End of inner exception stack trace --- at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleException(IExecutionContext executionContext, HttpErrorResponseException exception) at Amazon.Runtime.Internal.ExceptionHandler1.Handle(IExecutionContext executionContext, Exception exception) at Amazon.Runtime.Internal.ErrorHandler.ProcessException(IExecutionContext executionContext, Exception exception) at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext)

I'm struggling to work out why or how to get it working.

infojolt
  • 5,244
  • 3
  • 40
  • 82
  • I understand that you deploy your Lambda function locally using AWS SAM CLI. Which SSM endpoint are you using when running the local Lambda? Do you start a local mock of the SSM service or do you connect to the endpoint in the cloud? If the latter is true, how do you specify permissions for your Lambda? Could you paste your template? – Martin Löper May 22 '20 at 23:46
  • [start-api](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-local-start-api.html) also takes `--profile TEXT`. Maybe you have to specify correct profile to be used . Seems as some permission issue: " The security token included in the request is invalid " – Marcin May 27 '20 at 09:09
  • @Marcin I have tried specifying `--profile=default` which is the name of my local profile, but this make no difference. Is there a way of viewing which IAM role the function is running as? – infojolt Jul 06 '20 at 11:26

1 Answers1

0

I think that your local machine is not yet configured to call AWS API.

While you're running code using AWS on your local machine, you have to confirm you configured your environment with client credentials.

To confirm that, please verify you have generated access key for your IAM user. Here you'll find a detailed answer about how to find your access keys and how to generate a new one: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey

The next step is to configure your local environment. You have to store access key and secret on your local machine. You have two options:

  • use security profiles file
  • use environment variables

If you choose the first option, run from your CLI (terminal) command aws configure. Then, you will be asked to put your credentials and set default region and output for default profile. This profile is used by all code calls (including your SDK). You can check all available profiles in file ~/.aws/credentials (on Windows it's in C:/Users/<your-username>/.aws/credentials. It may be the case that you already configured the profile with a non-default name. Then, your C# code needs to call this profile explicitly - the same applies to CLI calls, just like Marcin pointed in a comment below your question.

If you choose the second option, then you need to set your environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Details about environment variables are available here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

michail_w
  • 4,318
  • 4
  • 26
  • 43