Aws-sam-cli: When using guided deploy and accepting the default options I receive a Security Constraints Not Satisfied! error.

Created on 16 May 2020 · 2Comments · Source: aws/aws-sam-cli

Description

When using sam deploy --guided and accepting the default options I receive a Security Constraints Not Satisfied! error.

Note: When using the AWS Toolkit in VS Code I am able to deploy the hello world example without issue.

Steps to reproduce

I'm following the hello world tutorial here

sam init to build a .NET core hello world function
sam build
sam deploy --guided

Observed result

Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics

Configuring SAM deploy
======================

        Looking for samconfig.toml :  Not found

        Setting default arguments for 'sam deploy'
        =========================================
        Stack Name [sam-app]:
        AWS Region [us-east-1]:
        #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
        Confirm changes before deploy [y/N]:
        #SAM needs permission to be able to create roles to connect to the resources in your template
        Allow SAM CLI IAM role creation [Y/n]:
No Parameters detected in the template
2 resources found in the template
Found Serverless function with name='HelloWorldFunction' and CodeUri='HelloWorldFunction'
Detected Inline Swagger definition
Auth checks done on swagger are not exhaustive!
        HelloWorldFunction may not have authorization defined, Is this okay? [y/N]:
Sending Telemetry: {'metrics': [{'commandRun': {'awsProfileProvided': False, 'debugFlagProvided': True, 'region': '', 'commandName': 'sam deploy', 'duration': 14529, 'exitReason': 'GuidedDeployFailedError', 'exitCode': 1, 'requestId': '3818fe20-a378-4ac6-9564-225ea699f51f', 'installationId': 'eff16007-c6c5-4f81-afaf-18df5059d751', 'sessionId': 'f2d02a1c-7328-4483-97fc-6bc880d35f36', 'executionEnvironment': 'CLI', 'pyversion': '3.7.6', 'samcliVersion': '0.48.0'}}]}
Telemetry response: 200
Error: Security Constraints Not Satisfied!

Expected result

I expect the Lambda function and CloudFormation stack to be deployed.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: Windows 10 Pro
sam --version: SAM CLI, version 0.48.0

Source

kyledhebert

Most helpful comment

FWIW, I hit this same issue, and I bet anyone who hits this issue will end up here trying to understand why it happens. I think the error message could be improved so that people don't have to come here to understand what it means!

It was confusing to me that it said the _HelloWorldFunction_ does not have authorization defined; it made me wonder if the IAM settings that the CLI was generating were incorrect. If this is saying is that the _API_ does not have auth on it, then saying "HelloWorldFunction" is slightly misleading, even though it's technically correct because the API is implicit. It would be helpful to know that it's talking about the API that's being generated, and not the function. Something like "HelloWorldFunction may not have authorization defined on its API, Is this okay?" would have been clearer to me.

You probably have much bigger fish to fry, but just wanted to throw a +1 in there, and the reason why I was confused.

steviec on 30 Jul 2020

👍6

All 2 comments

@kyledhebert We added an explicit check in deploy to prompt when Auth is not set and by default will fail the command. From the output:

Detected Inline Swagger definition
Auth checks done on swagger are not exhaustive!
        HelloWorldFunction may not have authorization defined, Is this okay? [y/N]:

As you can see, the default is N. This is all done in an attempt to communicate that your API might be open to the world. If this is ok, then you should be selected Y instead of the default. If it is not, they you will need to add auth to the template: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-api.html

Closing as this is by design.