1

I have an API written in python/chalice deployed as a Lambda which gets called from a web app. I thought I had the usual CORS issues fixed, at least, things are working with no problems and have done for a while. Being a good boy I decided it was time to move some hardcoded credentials out of the code into AWS Secrets Manager. Everything is still working well in my local environment (probably because both the API and app are on localhost) with the credentials correctly pulled out of Secrets Manager. However, when I deploy the API the web app is now a reporting CORS error:

Access to XMLHttpRequest at 'https://api' from origin 'https://webapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I've tracked the source of the problem down to my call to boto3.session.Session().client().get_secret_value(). If I don't make this call - no CORS errors.

Here's the relevant snippet of my API code:

@app.route('/get/table', methods=['GET'], cors=True)
def GetTable():

    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name="eu-west-2"
    )
    get_secret_value_response = client.get_secret_value(SecretId="prod/xxxx")

So, what's going wrong? Am I missing something simple?

sideshowbarker
  • 62,215
  • 21
  • 143
  • 153
plet
  • 43
  • 6
  • 1
    The CORS is probably a red herring. Maybe there's a log in CloudWatch? – Christian Oct 31 '20 at 20:19
  • Unfortunately there's nothing in the log. But you might be right about it being a red herring. Calling the API directly I get a message: "Endpoint request timed out". I'll just need to work out why it works locally. – plet Oct 31 '20 at 20:54
  • Is your app or api running on a vpc, probably not the issue but worth checking https://stackoverflow.com/questions/35423246/adding-aws-lambda-with-vpc-configuration-causes-timeout-when-accessing-s3 – gmfm Oct 31 '20 at 23:31
  • @gmfm Yes, it's in a vpc. That link was helpful. Got there in the end! – plet Nov 01 '20 at 16:44

1 Answers1

2

I got there in the end. The root cause was not CORS but the fact that the Lambda uses a VPC. The fact that it was working locally (not sure how - perhaps something to do with the ssh tunnel I have set up for DB access) just added to the fog of confusion!

After much banging of my head on the keyboard this is what got it working:

  • Setting up of a VPC endpoint for Secrets Manager for the VPC
  • Adding an inbound rule to the VPC security group: All TCP for the security group (could perhaps be rationalised but I don't know what to)
  • Modify the IAM permissions for the Lamdba role to add Secrets Manager.

-- edit

Oh, the fun continues. The above works well... until I deploy a new version of the Lambda with Chalice. It seems that, by default, Chalice is generating a new policy for every deploy and even though it looks correct in the IAM console (Secrets Manager policy present) it's not working!

I've had to copy the IAM policy summary from the role (when it's working) and create a new policy.json file in my local .chalice folder. When deploying, either specifying chalice deploy --no-autogen-policy or adding "autogen_policy": false to .chalice/config.json seems to finally fix things.

plet
  • 43
  • 6