Lambda is not able to access API gateway Invoke URL - node.js

I have written an AWS Lambda function in AWS account A and exposed one api in AWS account B. The api url looks like https://*******.execute-api.ap-south-1.amazonaws.com:443/abc.
Now, when I try to access this url through Lambda in AWS account A, I am getting forbidden exception. Also, I am able to access https://google.com from Lambda. The API exposed in AWS account B is working through Postman. Please suggest if I am missing something.
Also, Forbidden is not coming from the api if I hit the api from postman with wrong authorization token or no auth token.
{
"statusCode": 403,
"body": "{\"message\":\"Forbidden\"}",
"headers": {
"server": "Server",
"date": "Thu, 10 Nov 2022 07:03:35 GMT",
"content-type": "application/json",
"content-length": "23",
"x-amzn-requestid": "**************",
"x-amzn-errortype": "ForbiddenException",
"x-amz-apigw-id": "**************",
"connection": "close"
},
"request": {
"uri": {
"protocol": "https:",
"slashes": true,
"auth": null,
"host": "*******.execute-api.ap-south-1.amazonaws.com",
"port": 443,
"hostname": "*******.execute-api.ap-south-1.amazonaws.com",
"hash": null,
"search": null,
"query": null,
"pathname": "*****/verify-token",
"path": "*****/verify-token",
"href": "https:******.execute-api.ap-south-1.amazonaws.com/*****/verify-token"
},
"method": "GET",
"headers": {
"Authorization": "correctToken",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Headers": "*",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1"
}
}
}
UPDATE:
This is the issue:
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/
NodeJs Code
const request = require("request");
request(authRequestBody, (error, response) => {
Business Logic
--------------------------------------------
});

Related

Deploy Apisix on Azure VM and get 404 error when route to App Service

I have used private endpoint to both of vm and app service. In the VM console, it works when using the domain, but it failed when using private IP.
$ curl https://myAppService..azurewebsites.net
{"result":"Hello World","code":200,"success":true}
$ curl http://10.0.5.5
....
<h1>404 Web Site not found.</h1>
<p>You may be seeing this error due to one of the reasons listed below :</p>
....
I can understand it so far. However, I set apisix routing config like below, and get 404 error as well.
{
"uri": "/test/*",
"name": "test",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE",
"PURGE"
],
"plugins": {
"cors": {
"allow_credential": false,
"allow_headers": "*",
"allow_methods": "*",
"allow_origins": "*",
"disable": false,
"expose_headers": "*",
"max_age": 5
},
"proxy-rewrite": {
"uri": "/"
}
},
"upstream": {
"nodes": [ <--------- Here
{
"host": "myAppService.azurewebsites.net",
"port": 443,
"weight": 1
}
],
"retries": 3,
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "https",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}
After I checked access.log, I figure out that the gateway resolves the host, and route the request with the ip (10.0.5.5).
[14/Dec/2022:11:00:15 +0000] 20.212.162.118 "GET /test/123 HTTP/1.1" 404 2667 0.012 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.46" 10.0.5.5:443 404 0.012
Is there any suggestion ?
using application gateway
Deploy Apisix to ACI. But some of our service are not considered to be containerized.
I want to route normally...

I finally found the answer after I figured out the issue is related with Nginx...
Due to Application Request Routing Affinity(ARR), it is required that setting the Hostname to "Use the domain name or IP from Node list".
As a result, Apisix won't resolve the hostname, e.g *.auzrewebsits.net to 10.0.x.x, and the ARR works.
Hooray!!

Azure Logic App not able create client certificate authentication with converted base64 encoded pfx

I want to get the token information for ADP Client through Azure Logic App. I have the Client Certificate from ADP so I decided to use HTTP trigger from Logic App and selected authentication type "Client Certificate".
Since I cant directly use certificate in Logic app so I converted certificate into base64Encoded .pfx format, and certificate is not having any password.
below is the sample code for the request
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {},
"contentVersion": "1.0.0.0",
"outputs": {},
"triggers": {
"HTTP": {
"inputs": {
"authentication": {
"pfx": "convertedbase64string",
"type": "ClientCertificate"
},
"body": "grant_type=client_credentials&client_id=ClientId&client_secret=client_secret",
"headers": {
"content-type": "application/x-www-form-urlencoded"
},
"method": "POST",
"uri": "https://accounts.adp.com/auth/oauth/v2/token"
},
"recurrence": {
"frequency": "Month",
"interval": 15
},
"type": "Http"
}
}
},
"kind": "Stateful"
}
above request returns me bad request, can anyone help me what is going wrong here?
For converting into base64 I used below steps in power shell
$pfx_cert = get-content 'C:\sample\adpcertificate.pfx' -Encoding Byte
$output =[Convert]::ToBase64String($pfx_cert)
$output
I tried same request with client certificate using postman which is working fine, but not able to get succeed with Logic App.
Any help is much appreciated.

There are only few differences between the headers sent from Postman and the Logic App. The main difference is that Postman also sends the accept-header: "Accept": "*/*" and leaves out alle the x-ms-* headers from the logic app.
I created a Logic App with http-trigger, which I post to from Postman and Logic App to inspect the changes:
With Postman
{
"headers": {
"Connection": "keep-alive",
"Accept": "*/*",
"Accept-Encoding": "br,gzip,deflate",
"Host": "....westeurope.logic.azure.com:443",
"User-Agent": "PostmanRuntime/7.28.4",
"Postman-Token": "...-baea-4e89-9bf6-490a63968b5d",
"Content-Length": "76",
"Content-Type": "application/x-www-form-urlencoded"
},
"body": {
"$content-type": "application/x-www-form-urlencoded",
"$content": "Z3JhbnRfdHlwZT1jbGllbnRfY3JlZGVudGlhbHMmY2xpZW50X2lkPUNsaWVudElkJmNsaWVudF9zZWNyZXQ9Y2xpZW50X3NlY3JldA==",
"$formdata": [
{
"key": "grant_type",
"value": "client_credentials"
},
{
"key": "client_id",
"value": "ClientId"
},
{
"key": "client_secret",
"value": "client_secret"
}
]
}
}
With Logic App
{
"headers": {
"Connection": "Keep-Alive",
"Accept-Encoding": "gzip,deflate",
"Accept-Language": "en",
"Host": "...westeurope.logic.azure.com",
"User-Agent": "azure-logic-apps/1.0,(workflow ...; version ...)",
"x-ms-trigger-callback-url": "https://....westeurope.logic.azure.com/ <...>",
"x-ms-trigger-type": "Http",
"x-ms-workflow-id": "...",
"x-ms-workflow-version": "...",
"x-ms-workflow-name": "myworkflowname",
"x-ms-workflow-system-id": "/locations/westeurope/scaleunits/...",
"x-ms-workflow-run-id": "...",
"x-ms-workflow-operation-name": "HTTP",
"x-ms-execution-location": "westeurope",
"x-ms-workflow-subscription-id": "...",
"x-ms-workflow-resourcegroup-name": "..",
"x-ms-tracking-id": "...",
"x-ms-correlation-id": "...",
"x-ms-client-request-id": "...",
"x-ms-activity-vector": "...",
"Content-Length": "76",
"Content-Type": "application/x-www-form-urlencoded"
},
"body": {
"$content-type": "application/x-www-form-urlencoded",
"$content": "Z3JhbnRfdHlwZT1jbGllbnRfY3JlZGVudGlhbHMmY2xpZW50X2lkPUNsaWVudElkJmNsaWVudF9zZWNyZXQ9Y2xpZW50X3NlY3JldA==",
"$formdata": [
{
"key": "grant_type",
"value": "client_credentials"
},
{
"key": "client_id",
"value": "ClientId"
},
{
"key": "client_secret",
"value": "client_secret"
}
]
}
}
Solution
My solution would be to manually add the Accept-Header in the post request in the Logic App.
"headers": {
"Accept": "*/*",
// ...
},
I sadly don't have an ADP account to verify this, but I've seen other APIs break when no accept header is sent.

Azure Translator API always gives me 404

I'm trying to use translator API through a free trial subscription. After creating it, I set resource groups and add cognitive service to it. On that cognitive service page, I followed the "Quick Start" guide and got a pair of keys and ENDPOINT url.
Then I followed this document. It says an API key and endpoint are needed to use translator API. And I get them from RESOURCE MANAGEMENT>Keys and Endpoint section.
https://learn.microsoft.com/en-gb/azure/cognitive-services/translator/quickstart-translate?pivots=programming-language-javascript
But I always get 404 status code from this API every time I send a request. Is there anything I do wrong? How can I use this API?
SubscriptionID: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
My code:
const subscriptionKey = 'my-sub-key'; // There are two keys, key1 and key2. I use key1 here.
const endpoint = 'https://japaneast.api.cognitive.microsoft.com/';
const options = {
method: 'POST',
baseUrl: endpoint,
url: 'translate',
qs: {
'api-version': '3.0',
'to': 'en'
},
headers: {
'Ocp-Apim-Subscription-Key': subscriptionKey,
'Content-type': 'application/json',
'X-ClientTraceId': uuidv4().toString()
},
body: [{
'text': 'hello world'
}],
json: true,
};
request(options, function (err, resFromMicrosoft, body) {
res.json(resFromMicrosoft);
}
Error response:
{
"statusCode": 404,
"body": {
"error": {
"code": "404",
"message": "Resource not found"
}
},
"headers": {
"content-length": "56",
"content-type": "application/json",
"apim-request-id": "e2ae69cc-b93c-4db2-aef4-47096eb3ec61",
"strict-transport-security": "max-age=31536000; includeSubDomains; preload",
"x-content-type-options": "nosniff",
"date": "Fri, 19 Jun 2020 06:11:24 GMT",
"connection": "close"
},
"request": {
"uri": {
"protocol": "https:",
"slashes": true,
"auth": null,
"host": "japaneast.api.cognitive.microsoft.com",
"port": null,
"hostname": "japaneast.api.cognitive.microsoft.com",
"hash": null,
"search": "?api-version=3.0&to=en",
"query": "api-version=3.0&to=en",
"pathname": "/translate",
"path": "/translate?api-version=3.0&to=en",
"href": "https://japaneast.api.cognitive.microsoft.com/translate?api-version=3.0&to=en"
},
"method": "POST",
"headers": {
"Ocp-Apim-Subscription-Key": "my-sub-key",
"Content-type": "application/json",
"X-ClientTraceId": "8eedf6f4-db0c-45cb-a95b-92a2797df067",
"accept": "application/json",
"content-length": 83
}
}
}

As mentioned in the documentation, please use the global endpoint - https://api.cognitive.microsofttranslator.com/

I saw your comment about getting 401 after using the global endpoint.
You still need to use the global endpoint as mentioned by Swetha.
This might help https://github.com/MicrosoftDocs/azure-docs/issues/57430#event-3480744006
(From the above page)
"It looks like you are using a common cognitive service resource and a key. Most the services have moved to using an individual resource type and if you can create and use the translator resource the steps mentioned in the documentation should work as is."

Google Street View Publish return's "Photo does not have upload reference." after statusCode 200

I'm using NodeJS to upload panoramic images.
When I make #2 informed in the Google documentation, I get the following return:
Request
{
"url": "UPLOAD_URL",
"body": "/PATH_TO_PANO/pano.jpg",
"method": "POST",
"headers": {
"Authorization": "Bearer YOUR_ACCESS_TOKEN",
"Content-Type": "image/jpeg"
}
}
Response
{
"statusCode": 200,
"body": "",
"headers": {
"x-guploader-uploadid": "AEnB2UoJt4gvmmU6gXZvWDRu4b0DUCeT5vuPKLGcZqM4Tzo9HssCLoloTgAACRmxmP0U5DDYvHXpThCjRslW80bEKLZjUjJB3QNZ5w- j0jd8jdtVnH8X0c",
"content-length": "0",
"date": "Tue, 26 Sep 2017 21:05:17 GMT",
"server": "UploadServer",
"content-type": "text/html; charset=UTF-8",
"alt-svc": "quic=\":443\"; ma=2592000; v=\"39,38,37,35\"",
"connection": "close"
},
"request": {
"uri": {
"protocol": "https:",
"slashes": true,
"auth": null,
"host": "streetviewpublish.googleapis.com",
"port": 443,
"hostname": "streetviewpublish.googleapis.com",
"hash": null,
"search": null,
"query": null,
"pathname": "/media/user/USER_ID/photo/PHOTO_ID",
"path": "/media/user/USER_ID/photo/PHOTO_ID",
"href": "https://streetviewpublish.googleapis.com/media/user/USER_ID/photo/PHOTO_ID"
},
"method": "POST",
"headers": {
"Authorization": "Bearer YOUR_ACCESS_TOKEN",
"Content-Type": "image/jpeg",
"content-length": 45
}
}
}
But when I upload the metadata of the photo, I get the following message:
Request
{
"url": "https://streetviewpublish.googleapis.com/v1/photo?key=YOUR_API_KEY",
"method": "POST",
"headers": {
"Authorization": "Bearer YOUR_ACCESS_TOKEN",
"Content-Type": "application/json",
"Content-Length": 9385487
},
"data": {
"uploadReference": {
"uploadUrl": "UPLOAD_URL"
},
"pose": {
"heading": 110,
"latLngPair": {
"latitude": -29.937386,
"longitude": -60.996952
}
},
"captureTime": {
"seconds": 1506448064836
}
}
}
Response
{
"error": {
"code": 400,
"message": "Photo does not have upload reference.",
"status": "INVALID_ARGUMENT"
}
}
There are not many references to basing myself and finding the problem. For that reason I would like the help of someone who may have gone through something similar.

I have replicated your issue. I've encountered this error when I didn't specify the UPLOAD_URL in the request.
{
"error": {
"code": 400,
"message": "Photo upload url does not match required format.",
"status": "INVALID_ARGUMENT",
"details": [
{
...
}
]
}
}
Make sure that you have added the UPLOAD_URL in the request. Check this documentation for more information.

box.com node client - cannot access files created by collaborator

I'm the co-owner on a box.com file.
My boss is the owner.
I'm using https://www.npmjs.com/package/box-node-sdk to manage the files
The node client has my bosses' enterprise credentials
He made a folder
I made several other sibling folders
I can retreive his
I can't retreive mine
We're both listed as collaborators on all the files
The error I get looks like this:
{
"statusCode": 404,
"response": {
"statusCode": 404,
"body": {
"type": "error",
"status": 404,
"code": "not_found",
"context_info": {
"errors": [
{
"reason": "invalid_parameter",
"name": "item",
"message": "Invalid value 'd_11786923812'. 'item' with value 'd_11786923812' not found"
}
]
},
"help_url": "http://developers.box.com/docs/#errors",
"message": "Not Found",
"request_id": "338009555580a32f872f7c"
},
"headers": {
"server": "ATS",
"date": "Fri, 21 Oct 2016 15:23:36 GMT",
"content-type": "application/json",
"content-length": "324",
"cache-control": "no-cache, no-store",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"vary": "Accept-Encoding",
"age": "0",
"connection": "keep-alive"
},
"request": {
"uri": {
"protocol": "https:",
"slashes": true,
"auth": null,
"host": "api.box.com",
"port": 443,
"hostname": "api.box.com",
"hash": null,
"search": null,
"query": null,
"pathname": "/2.0/folders/11786923812",
"path": "/2.0/folders/11786923812",
"href": "https://api.box.com/2.0/folders/11786923812"
},
"method": "GET",
"headers": {
"User-Agent": "Box Node.js SDK v1.1.0",
"Authorization": "[REMOVED BY SDK]",
"accept": "application/json"
}
}
}
}
EDIT: So, I can get folder 0 and it's not where I'm looking BUT, I did check earlier and added a file where I thought I was looking and it did show up, so I'm guessing that my boss would have to create the files...

Resources