Is It possible to sequence the creation of permissions for a Lambda with multiple API endpoints in a SAM template? #3306
-
I have a SAM template that contains a Lambda with multiple (around 20) API endpoints. For the most part, this setup has been working well for me. However, lately when I deploy this template, CFN intermittently receives one or two 500 errors from Lambda. According to AWS support, the errors are due to a race condition connected to the concurrent calls to AddPermissions made by CFN. In a standard CFN template, I could resolve this issue by sequencing the creation of the Lambda permissions with "DependsOn". Is there a way to sequence the creation of the Lambda permissions in my SAM template without splitting the API endpoints across multiple Lambdas? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 17 replies
-
Not sure what you mean by endpoints, so you're not using a catchall like https://github.com/wolfeidau/sam-golang-multi-lambda/blob/main/template.yaml#L27 ? |
Beta Was this translation helpful? Give feedback.
-
@kaihendry Good question. Thanks. No, I'm not currently using a catchall like that example. In saying that the Lambda has multiple "endpoints" I meant that in the SAM template the AWS::Serverless::Function has multiple Events of type Api. The Events have different Path and Method values. I'm wondering whether I can keep those distinct Events on that AWS::Serverless::Function and find a way of sequencing the corresponding creation of Lambda permissions in my SAM template. |
Beta Was this translation helpful? Give feedback.
-
I'm not sure there's a way to add "DependsOn" to the LambdaPermission resources that SAM generates, but I think there are two solutions available here without forcing you to make drastic code changes.
|
Beta Was this translation helpful? Give feedback.
-
I'd have to know more about your template to say how you'd structure the "DependsOn" statements but the names of our generated Lambda Permission objects are predictable. For API Gateway to Lambda, the naming structure is "${ServerlessFunctionLogicalId}${ServerlessFunctionApiEventLogicalId}Permission${ApiGatewayStageName}" So you might have "HelloWorldFunctionHelloWorldEventPermissionProd" or similar. You can do a I'd be curious where these errors are coming from though. Are you seeing this with a brand new template? New deployments of an existing template? |
Beta Was this translation helpful? Give feedback.
I'm not sure there's a way to add "DependsOn" to the LambdaPermission resources that SAM generates, but I think there are two solutions available here without forcing you to make drastic code changes.
{proxy}
or{proxy+}
greedy path, which sounds like it's essentially what you're doing anyway, to route all API Gateway routes to one function. So as far as API Gateway is concerned, this is one integration and one endpoint and one Lambda Permission.UserFunction
handles/user/....
paths