Lambda invoke does not accept full ARN as FunctionName

[redinger]

Dependencies

{:deps {com.cognitect.aws/api {:mvn/version "0.8.515"}
        com.cognitect.aws/endpoints {:mvn/version "1.1.12.51"}
        com.cognitect.aws/lambda {:mvn/version "813.2.972.0"}}}

Description with failing test case

Lambda invoke does not accept a full ARN, or a partial ARN as a FunctionName. According to https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax, both of those should be acceptable in addition to just FunctionName.

(require
  '[cognitect.aws.client.api :as aws])

(def lambda (aws/client {:api :lambda}))

;; Full ARN in FunctionName returns error. (### is elided account)
(aws/invoke lambda {:op :Invoke
                    :request
                    {:FunctionName "arn:aws:lambda:us-east-1:############:function:test"}})
;; => {:message "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.", :cognitect.anomalies/category :cognitect.anomalies/forbidden}

;; Partial ARN returns same error.
(aws/invoke lambda {:op :Invoke
                    :request
                    {:FunctionName "############:function:test"}})
;; => {:message "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.", :cognitect.anomalies/category :cognitect.anomalies/forbidden}

;; FunctionName works
(aws/invoke lambda {:op :Invoke
                    :request
                    {:FunctionName "test"}})
;; => {:StatusCode 200, :ExecutedVersion "$LATEST", :Payload #object[java.io.BufferedInputStream 0x75643efa "java.io.BufferedInputStream@75643efa"]}

For comparison, those same invokes work from the command line

aws lambda invoke --function-name arn:aws:lambda:us-east-1:############:function:test outfile
=> {
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}

[fogus]

@redinger Thank you for the ticket!

According to the page at https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html each path segment in a canonical request should be url-encoded twice (for non-S3 services). However, since we only encode the canonical uri once (code) the signature is off when the full and partial ARNs are used. Changing the code to sign twice was shown to fix the problem but more thought needs to go into if this is the correct general fix. More to come.

[parlir]

I am also encountering this, is there any update or work around you can recommend? In my case I'm pulling the ARN off of GetResource API call (which would only have ARN).

[dchelimsky]

Fix merged, release coming shortly ....

[dchelimsky]

Released in com.cognitect.aws-api "0.8.615"