Bug: sam remote invoke failing with valid credentials

[nonken]

Description:

I am running the following commands:

sam remote invoke arn:aws:lambda:us-east-1:ACCOUNT_ID:function:NAME --profile Administrator-ACCOUNT_ID

and am getting this response:

Invoking Lambda Function arn:aws:lambda:us-east-1:ACCOUNT_ID:function:NAME
Error: An error occurred (UnrecognizedClientException) when calling the Invoke operation: The security token included in the request is invalid.

When invoking the same function with the AWS CLI, and the same SSO profile --profile Administrator-ACCOUNT_ID the invocation succeeds.

I have deployed the Lambda using the CDK. I am using SAM for local testing.

Steps to reproduce:

On my environment the following steps are failing:

1. Deploy Lambda using the CDK
2. fetch credentials using aws configure sso
3. Use the declared profile with the SAM CLI.

Observed result:

Invoking Lambda Function arn:aws:lambda:us-east-1:ACCOUNT_ID:function:NAME
Error: An error occurred (UnrecognizedClientException) when calling the Invoke operation: The security token included in the request is invalid.

Expected result:

I expect the lambda invocation logs.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

{
  "version": "1.95.0",
  "system": {
    "python": "3.8.13",
    "os": "macOS-13.2-arm64-arm-64bit"
  },
  "additional_dependencies": {
    "docker_engine": "20.10.22",
    "aws_cdk": "2.92.0 (build bf62e55)",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

And here the log output

2023-08-22 13:49:50,757 | No config file found in this directory.
2023-08-22 13:49:50,759 | OSError occurred while reading TOML file: [Errno 2] No such file or directory:
'/Users/.../dev/.../.../apps/.../samconfig.toml'
2023-08-22 13:49:50,759 | Config file location: /Users/.../dev/.../.../apps/.../samconfig.toml
2023-08-22 13:49:50,760 | Config file '/Users/.../dev/.../.../apps/.../samconfig.toml' does not exist
2023-08-22 13:49:50,786 | Converting provided --output option value to Enum
2023-08-22 13:49:50,793 | Using config file: samconfig.toml, config environment: default
2023-08-22 13:49:50,793 | Expand command line arguments to:
2023-08-22 13:49:50,794 | --resource_id=arn:aws:lambda:us-east-1:ACCOUNT_ID:function:FUNCTION_NAME --output=RemoteInvokeOutputFormat.TEXT
2023-08-22 13:49:50,816 | Invoking Lambda Function arn:aws:lambda:us-east-1:ACCOUNT_ID:function:FUNCTION_NAME
2023-08-22 13:49:51,571 | Function arn:aws:lambda:us-east-1:ACCOUNT_ID:function:FUNCTION_NAME, doesn't have Function URL configured,
using regular invoke
Traceback (most recent call last):
  File "samcli/lib/remote_invoke/lambda_invoke_executors.py", line 227, in _is_function_invoke_mode_response_stream
  File "botocore/client.py", line 535, in _api_call
  File "botocore/client.py", line 980, in _make_api_call
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the GetFunctionUrlConfig operation: The security
token included in the request is invalid.
2023-08-22 13:49:51,574 | Input event not found, invoking resource with an empty event
2023-08-22 13:49:51,574 | Mapping input event to JSON string object
2023-08-22 13:49:51,575 | Calling lambda_client.invoke with FunctionName:arn:aws:lambda:us-east-1:ACCOUNT_ID:function:FUNCTION_NAME,
Payload:{}, parameters:{'InvocationType': 'RequestResponse', 'LogType': 'Tail', 'FunctionName':
'arn:aws:lambda:us-east-1:ACCOUNT_ID:function:FUNCTION_NAME', 'Payload': '{}'}
2023-08-22 13:49:51,734 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2023-08-22 13:49:51,770 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2023-08-22 13:49:51,770 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': '25b23274-27de-42c6-a1ed-4af8b5738337',
'installationId': '1bbc7e26-f4a9-42f5-ba5d-69b0d3191797', 'sessionId': '83fcab6a-59e8-4c66-a09e-4508d7f333e8', 'executionEnvironment': 'CLI',
'ci': False, 'pyversion': '3.8.13', 'samcliVersion': '1.95.0', 'awsProfileProvided': True, 'debugFlagProvided': True, 'region': '',
'commandName': 'sam remote invoke', 'metricSpecificAttributes': {'projectType': 'CFN', 'gitOrigin': None, 'projectName':
'269debbbb238874a86bcaf023684bf56095f392b7486185d1f8f4206174328b2', 'initialCommit': None}, 'duration': 941, 'exitReason':
'ErrorBotoApiCallException', 'exitCode': 1}}]}
2023-08-22 13:49:51,771 | Unable to find Click Context for getting session_id.
2023-08-22 13:49:51,773 | Sending Telemetry: {'metrics': [{'events': {'requestId': '6dbb13f6-3882-4192-b2a3-4230b356a699', 'installationId':
'1bbc7e26-f4a9-42f5-ba5d-69b0d3191797', 'sessionId': '83fcab6a-59e8-4c66-a09e-4508d7f333e8', 'executionEnvironment': 'CLI', 'ci': False,
'pyversion': '3.8.13', 'samcliVersion': '1.95.0', 'metricSpecificAttributes': {'events': [{'event_name': 'SamConfigFileExtension',
'event_value': '.toml', 'thread_id': 'f892740723b54ca0afc9366f976f61ba', 'time_stamp': '2023-08-22 11:49:50.759', 'exception_name':
None}]}}}]}
2023-08-22 13:49:52,435 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out. (read
timeout=0.1)
Error: An error occurred (UnrecognizedClientException) when calling the Invoke operation: The security token included in the request is invalid.
2023-08-22 13:49:52,437 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out. (read
timeout=0.1)

[hawflau]

Hi @nonken, thanks for raising the issue. It seems the sam remote invoke command does not care about the provided --profile option. It looks like an easy fix though, I'll raise a PR soon

[nonken]

@hawflau thank you, you are awesome 🙏🏻🚀

[github-actions]

Patch is released in v1.96.0. Closing

[nonken]

Thank you @hawflau 🙏🏻