serverless-dynamodb-local icon indicating copy to clipboard operation
serverless-dynamodb-local copied to clipboard

Published 20 hours ago verified publisher icon 99x

Getting "UnknownError: Forbidden: DynamoDB" on migrate

Open nicodh opened this issue 4 years ago • 2 comments

running sls dynamodb start with a configuration as shown below(migrate: true and a configured Table resource) shows error "UnknownError: Forbidden: DynamoDB - Error -" and does not migrate the table. With migrate: false there is no error

Expected Behaviour

should create the configured tables if migrate: true is configured

Steps to reproduce it This is the relevant part of the serverless.yaml:

provider:
  name: aws
  runtime: nodejs12.x
  region: eu-central-1
  stage: 'offline'
  custom:
    serverless-offline:
      port: 2110
      stage: offline
    dynamodb:
      start:
        port: 8000
        inMemory: true
        migrate: true
      stages:
        - offline
 plugins:
  - serverless-dynamodb-local
  - serverless-offline
 resources:
  Resources:
    DevicesTable:
      Type: 'AWS::DynamoDB::Table'
      DeletionPolicy: Retain
      Properties:
        AttributeDefinitions:
          - AttributeName: userId
            AttributeType: S
          - AttributeName: created
            AttributeType: N
        KeySchema:
          - AttributeName: userId
            KeyType: HASH
          - AttributeName: created
            KeyType: RANGE
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        TableName: 'MyTable'

LogCat for the issue

Serverless: Running "serverless" installed locally (in service node_modules)
Dynamodb Local Started, Visit: http://localhost:8000/shell

UnknownError: Forbidden: DynamoDB - Error -

  Unknown Error ------------------------------------------

  UnknownError: Forbidden
      at Request.extractError (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\protocol\json.js:52:27)
      at Request.callListeners (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
      at Request.emit (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
      at Request.emit (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:690:14)
      at Request.transition (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:22:10)
      at AcceptorStateMachine.runTo (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\state_machine.js:14:12)
 at Request.<anonymous> (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:38:9)
      at Request.<anonymous> (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:692:12)
      at Request.callListeners (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:116:18)
      at callNextListener (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:96:12)
      at IncomingMessage.onEnd (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\event_listeners.js:313:13)
      at IncomingMessage.emit (events.js:215:7)
      at IncomingMessage.EventEmitter.emit (domain.js:476:20)
      at endReadableNT (_stream_readable.js:1183:12)
      at processTicksAndRejections (internal/process/task_queues.js:80:21)

I also logged the constructor arguments for the last request before the failure (service, operation and params)

Service: Service {
  config: Config {
    credentials: Credentials {
      expired: false,
      expireTime: null,
      refreshCallbacks: [],
      accessKeyId: 'MOCK_ACCESS_KEY_ID',
      sessionToken: undefined
    },
    credentialProvider: CredentialProviderChain {
      providers: [Array],
      resolveCallbacks: []
    },
    region: 'localhost',
    logger: null,
    apiVersions: {},
    apiVersion: null,
    endpoint: 'http://localhost:8000',
    httpOptions: { timeout: 120000, agent: [HttpsProxyAgent] },
    maxRetries: undefined,
    maxRedirects: 10,
    paramValidation: true,
    sslEnabled: true,
    s3ForcePathStyle: false,
    s3BucketEndpoint: false,
    s3DisableBodySigning: true,
    s3UsEast1RegionalEndpoint: 'legacy',
    s3UseArnRegion: undefined,
    computeChecksums: true,
    convertResponseTypes: true,
    correctClockSkew: false,
    customUserAgent: null,
    dynamoDbCrc32: true,
    systemClockOffset: 0,
    signatureVersion: null,
    signatureCache: true,
    retryDelayOptions: {},
    useAccelerateEndpoint: false,
    clientSideMonitoring: false,
    endpointDiscoveryEnabled: undefined,
    endpointCacheSize: 1000,
    hostPrefixEnabled: true,
    stsRegionalEndpoints: 'legacy',
    accessKeyId: 'MOCK_ACCESS_KEY_ID',
    secretAccessKey: 'MOCK_SECRET_ACCESS_KEY',
    convertEmptyValues: false
  },
  endpoint: Endpoint {
    protocol: 'http:',
    host: 'localhost:8000',
    port: 8000,
    hostname: 'localhost',
    pathname: '/',
    path: '/',
    href: 'http://localhost:8000/'
  },
  _events: {
    apiCallAttempt: [ [Function: EVENTS_BUBBLE] ],
    apiCall: [ [Function: CALL_EVENTS_BUBBLE] ]
  },
  MONITOR_EVENTS_BUBBLE: [Function: EVENTS_BUBBLE],
  CALL_EVENTS_BUBBLE: [Function: CALL_EVENTS_BUBBLE],
  _clientId: 1
}
operation: createTable
params: {
  AttributeDefinitions: [
    { AttributeName: 'userId', AttributeType: 'S' },
    { AttributeName: 'created', AttributeType: 'N' }
  ],
  KeySchema: [
    { AttributeName: 'userId', KeyType: 'HASH' },
    { AttributeName: 'created', KeyType: 'RANGE' }
  ],
  ProvisionedThroughput: { ReadCapacityUnits: 1, WriteCapacityUnits: 1 },
  TableName: 'MyTable'
}

I'm on Windows 10 and used gitbash.

 Your Environment Information ---------------------------
     Operating System:          win32
     Node Version:              12.13.0
     Framework Version:         2.19.0
     Plugin Version:            4.4.2
     SDK Version:               2.3.2
     Components Version:        3.4.7

The default credentials in my .aws/credentials file are valid:

aws dynamodb list-tables --no-verify-ssl

shows the table in my AWS account

I use the same credentials to deploy the whole application with serverless (which creates also the dynamodb tables)

If I use the params from the debug log above in localhost:8000/shell to create the table it works with no error and the table is created.

I am behind a proxy but as mentioned aws cli works fine (but needs --no-verify-ssl )

If any more information is needed I'm willing to provide it!
Any hint how to debug the error is welcome too!

nicodh avatar Jan 20 '21 18:01 nicodh

Additional information: the same code with the same credentials works fine on Linux. If I create a table in the Javascript Shell http://localhost:8000/shell I can see the table by running

aws dynamodb list-tables --endpoint http://localhost:8000

On Windows I can see the created table in the shell when running dynamodb.listTables but not in the aws cli:

aws dynamodb list-tables --endpoint http://localhost:8000

so somehow both connect to a different context...??

nicodh avatar Jan 22 '21 19:01 nicodh

It's been almost 2 years so I assume you solved this, but maybe helpful for someone else. I was encountering the same error, started getting Forbidden all of the sudden on code that used to work. Turns out I had another, totally unrelated, application running on port 8000 on my system. Launching the local dynamodb docker container didn't holler about the port collision so it wasn't obvious at first.

mattdodge avatar Oct 25 '22 02:10 mattdodge