AWS Cognito Authorizer Error 500 Execution failed due to an internal error
I'm having an issue with a cognito authorizer and have run out of testing options (that I can think of), so wondered if anyone had experienced similar issues. I've searched the forums and previous instances seem to have been related to an AWS incident and have "resolved themselves". My issue has been going on for over a week.
I have 3 Cognito User Pools built using Terraform (sorry Cloud Formation) and attached to different REST APIs as Cognito Authorizers in API Gateway. I have another 3, almost identical (with the exception of names) attached to another 3 APIs.
If I take a valid JWT, obtained using AWS Amplify (or using the Cognito API directly) and either test the authorizer using the console, test the authorizer using the CLI or make an API request to an end point with auth turned on, I get the following:
"clientStatus": 500,
"log": "Execution failed due to an internal error",
"latency": 28
I've turned API Gateway logging on and it provides little insight:
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Extended Request Id: QOP7MG0ELPEFUBg=
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Starting authorizer: x1rebc for request: 63aac040-e610-11e8-a304-1dab6e773ddd
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Execution failed due to an internal error
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response type: DEFAULT_5XX with status code: 500
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response body: "message":null
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response headers: Access-Control-Allow-Origin=*, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Methods=GET,OPTIONS
If I copy the Terraform script and deploy another User Pool and Authorizer, then attach that to the broken API end point, then all is fine. If I attach one of the other 3 authorizers that are already deployed to the broken API end point then all is fine.
If I attach the authorizer from a broken endpoint to another API end point that is working and has auth turned on (in another API that is working with the working authorizer) then that API end point breaks... so this suggests to me that it is a Cognito issue, and one I can't get any logs about!
If it were almost any other AWS resource I'd bin it, redeploy and start again. However, understanding the root cause of this is quite important to me, since binning a production user pool and all of the users and their details, which can't be exported or migrated (as far as I know) AND reconfiguring a web app to use new Cognito App and User Pool IDs which can't be statically mapped (as far as I know) isn't something I want to risk in a production environment.
Any further info or pointers would be very much appreciated! Thanks,
Tom
aws-api-gateway amazon-cognito terraform terraform-provider-aws
asked Nov 13 '18 at 1:58
Toomy
83
add a comment |
I'm having an issue with a cognito authorizer and have run out of testing options (that I can think of), so wondered if anyone had experienced similar issues. I've searched the forums and previous instances seem to have been related to an AWS incident and have "resolved themselves". My issue has been going on for over a week.
I have 3 Cognito User Pools built using Terraform (sorry Cloud Formation) and attached to different REST APIs as Cognito Authorizers in API Gateway. I have another 3, almost identical (with the exception of names) attached to another 3 APIs.
If I take a valid JWT, obtained using AWS Amplify (or using the Cognito API directly) and either test the authorizer using the console, test the authorizer using the CLI or make an API request to an end point with auth turned on, I get the following:
"clientStatus": 500,
"log": "Execution failed due to an internal error",
"latency": 28
I've turned API Gateway logging on and it provides little insight:
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Extended Request Id: QOP7MG0ELPEFUBg=
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Starting authorizer: x1rebc for request: 63aac040-e610-11e8-a304-1dab6e773ddd
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Execution failed due to an internal error
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response type: DEFAULT_5XX with status code: 500
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response body: "message":null
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response headers: Access-Control-Allow-Origin=*, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Methods=GET,OPTIONS
If I copy the Terraform script and deploy another User Pool and Authorizer, then attach that to the broken API end point, then all is fine. If I attach one of the other 3 authorizers that are already deployed to the broken API end point then all is fine.
If I attach the authorizer from a broken endpoint to another API end point that is working and has auth turned on (in another API that is working with the working authorizer) then that API end point breaks... so this suggests to me that it is a Cognito issue, and one I can't get any logs about!
If it were almost any other AWS resource I'd bin it, redeploy and start again. However, understanding the root cause of this is quite important to me, since binning a production user pool and all of the users and their details, which can't be exported or migrated (as far as I know) AND reconfiguring a web app to use new Cognito App and User Pool IDs which can't be statically mapped (as far as I know) isn't something I want to risk in a production environment.
Any further info or pointers would be very much appreciated! Thanks,
Tom
aws-api-gateway amazon-cognito terraform terraform-provider-aws
asked Nov 13 '18 at 1:58
Toomy
83
add a comment |
I'm having an issue with a cognito authorizer and have run out of testing options (that I can think of), so wondered if anyone had experienced similar issues. I've searched the forums and previous instances seem to have been related to an AWS incident and have "resolved themselves". My issue has been going on for over a week.
I have 3 Cognito User Pools built using Terraform (sorry Cloud Formation) and attached to different REST APIs as Cognito Authorizers in API Gateway. I have another 3, almost identical (with the exception of names) attached to another 3 APIs.
If I take a valid JWT, obtained using AWS Amplify (or using the Cognito API directly) and either test the authorizer using the console, test the authorizer using the CLI or make an API request to an end point with auth turned on, I get the following:
"clientStatus": 500,
"log": "Execution failed due to an internal error",
"latency": 28
I've turned API Gateway logging on and it provides little insight:
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Extended Request Id: QOP7MG0ELPEFUBg=
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Starting authorizer: x1rebc for request: 63aac040-e610-11e8-a304-1dab6e773ddd
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Execution failed due to an internal error
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response type: DEFAULT_5XX with status code: 500
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response body: "message":null
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response headers: Access-Control-Allow-Origin=*, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Methods=GET,OPTIONS
If I copy the Terraform script and deploy another User Pool and Authorizer, then attach that to the broken API end point, then all is fine. If I attach one of the other 3 authorizers that are already deployed to the broken API end point then all is fine.
If I attach the authorizer from a broken endpoint to another API end point that is working and has auth turned on (in another API that is working with the working authorizer) then that API end point breaks... so this suggests to me that it is a Cognito issue, and one I can't get any logs about!
If it were almost any other AWS resource I'd bin it, redeploy and start again. However, understanding the root cause of this is quite important to me, since binning a production user pool and all of the users and their details, which can't be exported or migrated (as far as I know) AND reconfiguring a web app to use new Cognito App and User Pool IDs which can't be statically mapped (as far as I know) isn't something I want to risk in a production environment.
Any further info or pointers would be very much appreciated! Thanks,
Tom
aws-api-gateway amazon-cognito terraform terraform-provider-aws
asked Nov 13 '18 at 1:58
Toomy
83
I'm having an issue with a cognito authorizer and have run out of testing options (that I can think of), so wondered if anyone had experienced similar issues. I've searched the forums and previous instances seem to have been related to an AWS incident and have "resolved themselves". My issue has been going on for over a week.
I have 3 Cognito User Pools built using Terraform (sorry Cloud Formation) and attached to different REST APIs as Cognito Authorizers in API Gateway. I have another 3, almost identical (with the exception of names) attached to another 3 APIs.
If I take a valid JWT, obtained using AWS Amplify (or using the Cognito API directly) and either test the authorizer using the console, test the authorizer using the CLI or make an API request to an end point with auth turned on, I get the following:
"clientStatus": 500,
"log": "Execution failed due to an internal error",
"latency": 28
I've turned API Gateway logging on and it provides little insight:
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Extended Request Id: QOP7MG0ELPEFUBg=
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Starting authorizer: x1rebc for request: 63aac040-e610-11e8-a304-1dab6e773ddd
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Execution failed due to an internal error
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response type: DEFAULT_5XX with status code: 500
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response body: "message":null
00:17:50 (63aac040-e610-11e8-a304-1dab6e773ddd) Gateway response headers: Access-Control-Allow-Origin=*, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Access-Control-Allow-Methods=GET,OPTIONS
If I copy the Terraform script and deploy another User Pool and Authorizer, then attach that to the broken API end point, then all is fine. If I attach one of the other 3 authorizers that are already deployed to the broken API end point then all is fine.
If I attach the authorizer from a broken endpoint to another API end point that is working and has auth turned on (in another API that is working with the working authorizer) then that API end point breaks... so this suggests to me that it is a Cognito issue, and one I can't get any logs about!
If it were almost any other AWS resource I'd bin it, redeploy and start again. However, understanding the root cause of this is quite important to me, since binning a production user pool and all of the users and their details, which can't be exported or migrated (as far as I know) AND reconfiguring a web app to use new Cognito App and User Pool IDs which can't be statically mapped (as far as I know) isn't something I want to risk in a production environment.
Any further info or pointers would be very much appreciated! Thanks,
Tom
aws-api-gateway amazon-cognito terraform terraform-provider-aws
aws-api-gateway amazon-cognito terraform terraform-provider-aws
asked Nov 13 '18 at 1:58
Toomy
83
asked Nov 13 '18 at 1:58
Toomy
83
asked Nov 13 '18 at 1:58
Toomy
83
asked Nov 13 '18 at 1:58
Toomy
83
asked Nov 13 '18 at 1:58
Toomy
83
83
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53272693%2faws-cognito-authorizer-error-500-execution-failed-due-to-an-internal-error%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53272693%2faws-cognito-authorizer-error-500-execution-failed-due-to-an-internal-error%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
