Bug: can't use deployed/remote authorizer with sam local start-api

[brandon-burciaga]

Description:

I know using a local authorizer was released in I think version 1.80.0, which is great. However, I want to be able to use an already deployed authorizer while running sam local start-api. This authorizer is in it's own repo and is brought into other SAM repos like this, using it's ARN:

Example template:

Resources:
  BaseApi:
    Type: AWS::Serverless::Api
    Properties:
      Auth:
        DefaultAuthorizer: MyAuth
        AddDefaultAuthorizerToCorsPreflight: false
        Authorizers:
          MyAuth:
            FunctionPayloadType: REQUEST
            FunctionArn: !Sub 'arn:aws:lambda:us-east-1:123123123123:function:my-jwt-authorizer-${Env}'
            Identity:
              ReauthorizeEvery: 0

This does not work, and the error output can be seen below.

Steps to reproduce:

1. Deploy an authorizer to AWS in it's own repository
2. Attempt to use that authorizer in another repo template.yml by using it's FunctionARN.
3. Run sam local start-api
4. Call a function
5. See the error output above

Observed result:

sam     my-jwt-authorizer-dev not found. Possible options in your template: [...]

sam    Failed to find a Function to invoke a Lambda authorizer, verify that this Function exists locally if it is not a remote resource.                                                                                                sam    | Lambda authorizer failed to invoke successfully: FunctionNotFound 

Expected result:

The deployed authorizer to be referenced correctly by it's ARN and ran before running the local Lambda function.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS:
2. sam --version:
3. AWS region:

# Paste the output of `sam --info` here

 "version": "1.86.1",                                                                                                 
"system": {
    "python": "3.11.3",
    "os": "Linux-5.10.16.3-microsoft-standard-WSL2-x86_64-with-glibc2.31"                                              },                                                                                                                   "additional_dependencies": {                                                                                           "docker_engine": "23.0.3",                                                                                           "aws_cdk": "2.69.0 (build 60a5b2a)",                                                                                 "terraform": "1.3.3"                                                                                               },                                                                                                                   "available_beta_feature_env_vars": [                                                                                   "SAM_CLI_BETA_FEATURES",                                                                                             "SAM_CLI_BETA_BUILD_PERFORMANCE",                                                                                    "SAM_CLI_BETA_TERRAFORM_SUPPORT",                                                                                    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"                                                                                   ]                                                                                                                  }  

Add --debug flag to command you are running

[lucashuy]

Hi, thanks for reporting this. Unfortunately, the message is incorrect, sam local start-api does not support invoking a deployed Lambda function when it is referenced with the ARN in the properties like this. The function would have to exist and be defined locally in your template for SAM CLI to find it.

We'll update the message to correctly reflect this.

[brandon-burciaga]

@lucashuy thanks for the comment. Do you think this functionality would be something on the roadmap in the future?

[lucashuy]

Unfortunately I don't have an answer as to whether or not Lambda Authorizers with ARN references to remotely defined Lambda authorizers will be able to be invoked in the future. Should anything change, our roadmap will reflect that.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.