sam local start-api Missing Authentication Token for root path '/'

[0xdevalias]

Description:

When I run sam local start-api -s public/ and try to access my endpoint, I receive a Missing Authentication Token in the browser. This same code runs fine when deployed to lambda, and correctly exposes my endpoint without auth required.

FOO:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-FOO
      CodeUri: ./target
      Handler: foo
      Runtime: go1.x
      Tracing: Active
      Events:
        CatchAll:
          Type: Api
          Properties:
            Path: "/{proxy+}"
            Method: ANY

Observed result:

Missing Authentication Token

Expected result:

My API is exposed without auth.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

macOS

Output of sam --version:

SAM CLI, version 0.3.0

[0xdevalias]

Starting from scratch for debug:

sam init --runtime go1.x
cd sam-app
dep init
GOOS=linux GOARCH=amd64 go build -o hello-world/hello-world ./hello-world
sam local start-api

Attempting to access http://127.0.0.1:3000/ I see Missing Authentication Token (with no endpoint mapped there)
Attempting to access http://127.0.0.1:3000/hello it works as expected.

Changing the HelloWorldFunction to use /{proxy+}:

HelloWorldFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: hello-world/
      Handler: hello-world
      Runtime: go1.x
      Tracing: Active # https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html
      Events:
        CatchAll:
          Type: Api
          Properties:
            Path: "/{proxy+}"
            Method: ANY
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE

Now when I access http://127.0.0.1:3000/anythinghere it continues to work as expected.. so I don't think that is my issue.

Edit: Digging a little deeper.. it looks like even if I explicitly set the path to Path: "/" I get the same Missing Authentication Token when trying to access it. I wonder if that is somehow playing into this issue, even when trying to proxy it?

Edit2: Additional context, using https://github.com/gorilla/mux + https://github.com/awslabs/aws-lambda-go-api-proxy internally. When I set the path to Path: "/example" in my main project, that 1 endpoint works properly and doesn't produce Missing Authentication Token. When it is set to proxy though, my code never even gets reached/started. If I set my project to Path: "/a/{proxy+}" and try to access any of the URLs, my code starts correctly (then gets a 404 because that route doesn't exist)

[terrywarwar]

I'm getting the same error with SAM CLI, version 0.4.0. It doesn't look like it's routing to the static files in my case.

2018-06-20 14:50:36 Mounting static files from /Users/terry/go/src/app/public at /
2018-06-20 14:50:36 Mounting SampleFunction at http://127.0.0.1:3000/api/{proxy+} [GET, DELETE, PUT, POST, HEAD, OPTIONS, PATCH]
2018-06-20 14:50:36 You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions changes will be reflected instantly/automatically. You only need to restart SAM CLI if you update your AWS SAM template
2018-06-20 14:50:36  * Running on http://127.0.0.1:3000/ (Press CTRL+C to quit)
2018-06-20 14:50:42 127.0.0.1 - - [20/Jun/2018 14:50:42] "GET / HTTP/1.1" 403 -
2018-06-20 14:50:42 127.0.0.1 - - [20/Jun/2018 14:50:42] "GET /favicon.ico HTTP/1.1" 403 -

[terrywarwar]

Shouldn't localhost:3000 -> serves the index.html?

[jfuss]

So this is an issue with Flask and how the endpoints are modeled. By default Flask does not resolve the / as apart of the /{proxy+} route. This means we need to handle / (the root path) separately. There maybe a way to configure this behavior by default but haven't investigated that deeply yet.

@terrywarwar

Shouldn't localhost:3000 -> serves the index.html?

Maybe? But SAM CLI can't since we support API to Lambda on the same root path, so there can be path conflicts. Instead, you should just add the /index.html to the path explicitly.

Marking this as a bug

[amcp]

I am getting this issue only on GET calls. POST works fine.

[tomasaschan]

@amcp I'm seeing the opposite; GET works fine, while POST yields this error. None of my paths are /, i.e. I'm GETting and POSTing to e.g. /foo and /bar.

Windows 10, SAM CLI version 0.7.0.

[nealio82]

I'm experiencing the same. Using SAM local POST works fine, but GET returns the "missing authentication token" on all catch-all routes, unless I add the first part of the route into the template.yaml config.

eg:

using path: /{proxy+}, method: ANY

GET /api/books, and /api/books/[id] returns missing authentication token

whereas using path: /api/{proxy+}, method: ANY

GET /api/books, and /api/books/[id] work as expected

Both configurations appear to work normally once deployed to the cloud.

I think this is going to become more prevalent as an issue now the runtime API has opened new languages and frameworks up to Lambda, and more people are going to get on-board with developing serverless functions locally, expecting their chosen language / framework to handle routing for them.

MacOS, SAM CLI version 0.8.1

[jfuss]

@nealio82 While the results are the same, your issue is different than the original issue. I commented above on what this issue relates to.

Please open a separate issues so we can track and investigate separately.

[nealio82]

@jfuss Ok, shall do :) Although I'm not sure that it is different? Looking at the original bug report by @0xdevalias it looks like the config is almost exactly the same as the config I have, and their experience is the same... (the only difference I can see is that I also have path: / configured in my template.yaml to match the / route, and @0xdevalias doesn't)

[jfuss]

@nealio82 You didn't state anything about a root path (/) being configured. Your statement makes it sound like /{proxy+} is causing other paths not to resolve.

[nealio82]

Ah, sorry, I didn't think it was relevant - I was adding context to the fact I'm seeing the same as the OP, and I didn't want to simply add an unhelpful '+1' or 'me too' comment. The root path works OK, as implied by 'GET returns the "missing authentication token" on all catch-all routes'.

[metaskills]

I had opened #1037 and closed it because I think this is the root issue. Thanks!

[dpeek]

So I think I might have found a way to fix this – commenting out the static files config passed to flask here allows /{proxy+} paths to resolve.

Happy to put together a PR, but not sure what you want to do... while serving static files is useful it's not something that APIG does and users can achieve something similar with a lambda serving files at a specific route.

If you want to avoid a breaking change, seems like path of least change is to only pass this config to flask if the user specifies the --static-dir argument?

[dpeek]

Erm, scratch that. Was switching between samdev and sam and it seems my issue sorted it self out and now /{proxy+} resolves fine. Ignore me!

[metaskills]

Not for me.

[metaskills]

CONFIRMED! Setting static_url_path=None in local_apigw_service.py does allow /{proxy+} to work. I have confirmed with Flask that these two options are incompatible. I think it is important that local development allow root proxy and serving static files from root needs to be re-considered. What do other's think?

[StoneCypher]

it's amusing because this breaks your front page hello world example as generated by your kit

[StoneCypher]

it's actually pretty concerning that nine months after you found out your baseline generated code doesn't serve root correctly, it's still an outstanding bug

that's a one-liner route fix in flask

[metaskills]

Well in fairness, they have done ALOT of work and if I had to pick, I'd say I appreciate the effort being able to run Ruby on Lambda and other things vs something I can hack locally that is not an issue when deployed. That said, would be nice to see fixed.

[kaihendry]

I followed https://github.com/stackery/php-lambda-layer to also get this "Missing Authentication Token". I've read this and I'm non-the-wiser.

Is there an error with https://media.dev.unee-t.com/2019-04-04/template.yaml ?

SAM CLI, version 0.14.2

Must say the SAM cli is a bit rough around the edges. Why can't it print the endpoint in the CLI? zomg. https://s.natalian.org/2019-04-04/1554348366_2560x1440.png

[dorneanu]

Hi,

are there any updates on this one? I have exactly the same issue.

[iceback]

THIS IS A MACOS VERSION OF #1316
kitselas:~$ sam --version
SAM CLI, version 0.18.0
kitselas:bin root# docker --version
Docker version 19.03.1, build 74b1e89

begin: template.yaml
Transform: 'AWS::Serverless-2016-10-31'
Resources:
PedigreesFunction:
# This resource creates a Lambda function.
Type: 'AWS::Serverless::Function'

Properties:
  # This function uses the Nodejs v8.10 runtime.
  Runtime: python3.7
    
  # This is the Lambda function's handler.
  Handler: app.lambdb_handler
  
  # The location of the Lambda function code.
  CodeUri: ./lambda-scripts/get-pedigrees.py
  
  # Event sources to attach to this function. In this case, we are attaching
  # one API Gateway endpoint to the Lambda function. The function is
  # called when a HTTP request is made to the API Gateway endpoint.
  Events:
    PedigreesApi:
        # Define an API Gateway endpoint that responds to HTTP GET at /thumbnail
        Type: Api
        Properties:
            Path: /pedigrees
            Method: GET

end template.yaml
sam validate
2019-08-08 10:56:23 Found credentials in shared credentials file: ~/.aws/credentials
/Users/rjs3/utah/dev/aws/pprapp/PPRConsole/template.yaml is a valid SAM Template

hit localhost:3000/pedigrees

kitselas:PPRConsole$ sam local start-api
2019-08-08 10:57:41 Mounting PedigreesFunction at http://127.0.0.1:3000/pedigrees [GET]
2019-08-08 10:57:41 You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI while working on your functions, changes will be reflected instantly/automatically. You only need to restart SAM CLI if you update your AWS SAM template
2019-08-08 10:57:41 * Running on http://127.0.0.1:3000/ (Press CTRL+C to quit)
2019-08-08 10:58:38 Invoking app.lambdb_handler (python3.7)
2019-08-08 10:58:39 Found credentials in shared credentials file: ~/.aws/credentials

Fetching lambci/lambda:python3.7 Docker container image......
2019-08-08 10:58:40 Mounting /Users/rjs3/utah/dev/aws/pprapp/PPRConsole/lambda-scripts/get-pedigrees.py as /var/task:ro,delegated inside runtime container
2019-08-08 10:58:41 Exception on /pedigrees [GET]
Traceback (most recent call last):
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/client.py", line 261, in _raise_for_status
response.raise_for_status()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http+docker://localhost/v1.35/containers/f0123288c45dd08164d6cf5ca4d3d598984a0d2213263c35dc671c254948013f/start

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 2317, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1840, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1743, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/_compat.py", line 36, in reraise
raise value
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1838, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/flask/app.py", line 1824, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/apigw/local_apigw_service.py", line 156, in _request_handler
self.lambda_runner.invoke(route.function_name, event, stdout=stdout_stream_writer, stderr=self.stderr)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/commands/local/lib/local_lambda.py", line 93, in invoke
self.local_runtime.invoke(config, event, debug_context=self.debug_context, stdout=stdout, stderr=stderr)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/lambdafn/runtime.py", line 86, in invoke
self._container_manager.run(container)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/docker/manager.py", line 98, in run
container.start(input_data=input_data)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/samcli/local/docker/container.py", line 189, in start
real_container.start()
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/models/containers.py", line 392, in start
return self.client.api.start(self.id, **kwargs)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/utils/decorators.py", line 19, in wrapped
return f(self, resource_id, *args, **kwargs)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/container.py", line 1091, in start
self._raise_for_status(res)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/api/client.py", line 263, in _raise_for_status
raise create_api_error_from_http_exception(e)
File "/usr/local/Cellar/aws-sam-cli/0.18.0/libexec/lib/python3.7/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 400 Client Error: Bad Request ("OCI runtime create failed: container_linux.go:345: starting container process caused "process_linux.go:430: container init caused "rootfs_linux.go:58: mounting \"/Users/rjs3/utah/dev/aws/pprapp/PPRConsole/lambda-scripts/get-pedigrees.py\" to rootfs \"/var/lib/docker/overlay2/4248cf995aab0b8fb6cdd0db26dde5c5a99ccb31fce1c217a8c07cd8e6268704/merged\" at \"/var/lib/docker/overlay2/4248cf995aab0b8fb6cdd0db26dde5c5a99ccb31fce1c217a8c07cd8e6268704/merged/var/task\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type")
2019-08-08 10:58:41 127.0.0.1 - - [08/Aug/2019 10:58:41] "GET /pedigrees HTTP/1.1" 502 -
2019-08-08 10:58:41 127.0.0.1 - - [08/Aug/2019 10:58:41] "GET /favicon.ico HTTP/1.1" 403 -

I cannot locate the mounts under ~/Library/Containers

[dorneanu]

As @metaskills commented:

CONFIRMED! Setting static_url_path=None in local_apigw_service.py does allow /{proxy+} to work.

This did not work for me. :( My version is:

$ sam --version
$ SAM CLI, version 0.19.0

[nevtum]

By adding a root endpoint and another separate proxy endpoint to the SAM template I was able to get it to work:

...
Resources:
  MyFunction:
    Properties:
      CodeUri: MyFunction
      Events:
        RootEndpoint:
          Properties:
            Method: any
            Path: /
          Type: Api
        EverythingElse:
          Properties:
            Method: any
            Path: /{proxy+}
          Type: Api
      Handler: app.lambda_handler
      Runtime: python3.7
    Type: AWS::Serverless::Function

It seems like this convention of configuring multiple events for the same handler is done this way in other frameworks such as Zappa and Serverless (see the serverless.yml from this link).

[c2tarun]

Solution provided by @nevtum works for / path. Thanks @nevtum.
I am closing this issue, if anyone have questions please feel free to re-open.

[Kordstan]

I am using CDK to create the apigateway and adding ResourceBase.addProxy and setting the anyMethod to true worked for me and I dont get the Missing Authentication...

[abecks]

The solution provided by @nevtum does not work while also using the static assets option by either specifying -s manually or having a public folder present in the SAM directory.

Any ideas on a static assets workaround? @c2tarun I think this should be reopened

[randallb]

I have a potential fix at #6376 if the maintainers are interested... happy to implement myself.