When I try to access resources from AWS via boto3 (for example secrets from the secrets manager) I get an error when I use the python lambda runtime (public.ecr.aws/lambda/python3.8). I use the SAM CLI to deploy my function.
This is my template file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Ask-Waldo-Master-Data-Sam
Globals:
Function:
Timeout: 10
Tracing: Active
Environment:
Variables:
POWERTOOLS_METRICS_NAMESPACE: "ask-waldo"
POWERTOOLS_SERVICE_NAME: "ask-waldo-master-service"
LOG_LEVEL: DEBUG
STAGE: DEVELOPMENT
Api:
TracingEnabled: true
Resources:
MasterDataService:
Type: AWS::Serverless::Function
Properties:
PackageType: Image
ImageConfig:
Command: ["askwaldo_master_data.app.lambda_handler"]
MemorySize: 4096
Events:
ApiEvent:
Properties:
RestApiId:
Ref: AskWaldoMasterDataService
Path: /{proxy+}
Method: ANY
Type: Api
FunctionName: AskWaldoMasterDataService
CodeUri: ./src
Timeout: 300 # timeout of your lambda function
MemorySize: 128 # memory size of your lambda function
Description: Ask-Waldo Master data API serverless service
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
-
PolicyName: 'ParameterStoreParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/parameterStoreBlog*'
Metadata:
Dockerfile: Dockerfile
DockerContext: ./src
DockerTag: v1
AskWaldoMasterDataService:
Type: AWS::Serverless::Api
Properties:
StageName: prod
OpenApiVersion: '3.0.0'
LambdaFunctionLogGroup:
Type: "AWS::Logs::LogGroup"
DependsOn: "MasterDataService"
Properties:
RetentionInDays: 30
LogGroupName: !Join ["", ["/aws/lambda/", !Ref MasterDataService]]
This is my Dockerfile:
ARG FUNCTION_DIR="/var/task/"
ARG APP_DIR="${FUNCTION_DIR}/askwaldo_master_data"
ARG RUNTIME_VERSION="3.8"
ARG DISTRO_VERSION="3.12"
# Stage 2 - build function and dependencies
FROM python:${RUNTIME_VERSION} AS build-image
ARG FUNCTION_DIR
ARG RUNTIME_VERSION
ARG APP_DIR
# Create function directory
RUN mkdir -p ${FUNCTION_DIR}
RUN mkdir -p ${APP_DIR}
# Copy requirements
COPY askwaldo_master_data/requirements.txt ${APP_DIR}
# Optional – Install the function's dependencies
RUN pip install -r ${APP_DIR}/requirements.txt --target ${FUNCTION_DIR}
COPY askwaldo_master_data ${APP_DIR}
# Stage 3 - final runtime image
# Grab a fresh copy of the Python image
FROM public.ecr.aws/lambda/python:${RUNTIME_VERSION}
# Include global arg in this stage of the build
ARG FUNCTION_DIR
# Set working directory to function root directory
WORKDIR ${FUNCTION_DIR}
# Copy in the built dependencies
COPY --from=build-image ${FUNCTION_DIR} ${FUNCTION_DIR}
CMD ["askwaldo_master_data.app.lambda_handler"]
When I run the code locally without lambda I get no errors. Also when I run the code in the normal python environment (not the aws runtime) I get no errors. Only when I try to use the lambda environment from AWS I get the following error when starting the local api via the sam cli: Secrets Manager can't find the specified secret.
[WARNING] 2021-09-24T08:53:20.615Z Subsegment secretsmanager discarded due to Lambda worker still initializing
[WARNING] 2021-09-24T08:53:20.828Z No subsegment to end.
Could someone help me to figure out why boto3 is not able to access the resources when being executed within a container?
