Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Serveless deploy don't adds lambda permissions to alias

See original GitHub issue

Bug Report

Description

After updating to serverless 1.60.4 (from 1.37.1) deployed stack started to return {"message": "Internal server error"} for all calls.

Tried to run “test” from AWS APIGW “Resources”->“Method” view and got: Thu Dec 26 11:52:32 UTC 2019 : Execution failed due to configuration error: Invalid permissions on Lambda function

Rolled back to 1.37.1 and deploy worked fine.

After some digging in cloud trails found that serveless 1.60.4 didn’t give permissions to the “alias” version of our lambda:

Screen Shot 2019-12-26 at 1 37 35 PM

Setup info (parts I thought are relevant):

plugins:
  - serverless-plugin-canary-deployments

provider:
  name: aws
  runtime: python3.6

functions:
  - app:
      handler: wsgi_handler.handler
      timeout: 30
      deploymentSettings:
        type: AllAtOnce
        postTrafficHook: tests
        alias: live

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

davidgfcommented, Feb 28, 2020

@levkaganv I’ve just figured out what the issue is. Basically, the serverless framework changed the way it builds the Lambda Permissions resource. Prior to v1.60.2, the resource would look like this:

{
   "HelloLambdaPermissionApiGateway": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": [
            "HelloLambdaFunction",
            "Arn"
          ]
        },
   ...
   }
}

However, from that version onwards, the Lambda permissions for API Gateway are composed as follows:

{
   "HelloLambdaPermissionApiGateway": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::Join": [
            ":",
            [
              {
                "Fn::GetAtt": [
                  "HelloLambdaFunction",
                  "Arn"
                ]
              }
            ]
          ]
        },
   ...
   }
}

When the plugin amends the permissions to allow API Gateway executing aliased functions, it looks them up by function name assuming the former structure, and therefore it fails with newer Serverless versions. The fix should be relatively simple, but I cannot give you an ETA (PRs welcome 😄).

@samcon I’m not sure that your issue is related, I believe that it’s just due to ALB events not being supported by the plugin (again, PRs welcome 😅)

@dhelms-bw first of all, thank you very much for your PR, it looks good and I’ll merge it as soon as I get the time to test it in a real environment. You mention that it fixes the issues discussed here, however I’m failing to see how. Can you shed some light?

1reaction

davidgfcommented, Feb 28, 2020

This issue was solved in serverless@1.61.0, so using that version or above should do the trick. However, the plugin is not compatible with functions that have the provisionedConcurrency setting enabled, which is something I’ll try to fix shortly.

Top Results From Across the Web

Serveless deploy don't adds lambda permissions to alias #7144

I'm having this same issue using provisionedConcurrency in 1.60.5. serverless configures the alias "provisioned". I'm not using serverless- ...

Serverless AWS alias plugin

This plugin enables use of AWS aliases on Lambda functions. The term alias must not be mistaken as the stage. Aliases can be...

Deploying serverless applications gradually

Deploys new versions of your Lambda function, and automatically creates aliases that point to the new version. Gradually shifts customer traffic to the...

How to create IAM roles for deploying your AWS Serverless app

An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS ...

How to setup alias using serverless framework - Stack Overflow

Is there such a feature in serverless to do this? If not how do teams deploy multiple version of the same code without...