aws-eventstream not available in Ruby 3.2 lambda runtime

[cnorthwood]

Describe the bug

Requiring aws-sdk-secretsmanager in a Ruby lambda script throws an error relating to a missing library when run in the Lambda environment. Although it is correctly specified as a dependency on the Gem, it seems that this isn't available within AWS's lambda runtime.

Expected Behavior

For require to not throw an error.

Current Behavior

The Lambda fails with the following error

{
    "errorMessage": "cannot load such file -- aws-eventstream",
    "errorType": "Init<LoadError>",
    "stackTrace": [
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'",
        "/var/runtime/ruby/3.2.0/gems/aws-sdk-core-3.191.2/lib/aws-sdk-core/stubbing/protocols/rest.rb:3:in `<top (required)>'",
        "/var/runtime/ruby/3.2.0/gems/aws-sdk-core-3.191.2/lib/aws-sdk-core.rb:69:in `require_relative'",
        "/var/runtime/ruby/3.2.0/gems/aws-sdk-core-3.191.2/lib/aws-sdk-core.rb:69:in `<top (required)>'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'",
        "/var/runtime/ruby/3.2.0/gems/aws-sdk-secretsmanager-1.90.0/lib/aws-sdk-secretsmanager.rb:11:in `<top (required)>'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:141:in `require'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:141:in `rescue in require'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:135:in `require'",
        "/var/task/authorizer.rb:3:in `<top (required)>'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'",
        "<internal:/var/lang/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:136:in `require'"
    ]
}

Reproduction Steps

This is the file which is deployed to Lambda

# frozen_string_literal: true

require "aws-sdk-secretsmanager"

module Authorizer
  SECRETS_MANAGER = Aws::SecretsManager::Client.new

  def self.lambda_handler(event:, context:)
    authorization_header = nil
    event["headers"].each do |header, value|
      authorization_header = value if header.downcase == "authorization"
    end

    secret_response = SECRETS_MANAGER.get_secret_value({ secret_id: ENV.fetch("AUTHORISER_API_KEY_SECRET_ID", nil) })

    { isAuthorized: authorization_header == "Bearer #{secret_response.secret_string}" }
  end
end

Possible Solution

No response

Additional Information/Context

No response

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-core

Environment details (Version of Ruby, OS environment)

Ruby 3.2 lambda runtime

[alextwoods]

Sorry you're running into this. Can you provide a bit more information about how you are configuring your lambda and deploying that file?

I was not able to reproduce when I created a Lambda with Ruby 3.2 runtime (with both x86_64 and arm) in the console - it is able to load aws-sdk-secretsmanager (and aws-eventstreams).

[cnorthwood]

ah, that's interesting... hmm. This is the CDK for this function if that helps

from aws_cdk.aws_lambda import Code, Function, Runtime, LayerVersion

[...]

            Function(
                self,
                "CorporateWebhooksAuthorizerFunction",
                runtime=Runtime.RUBY_3_2,
                handler="authorizer.Authorizer::lambda_handler",
                code=Code.from_asset(
                    os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..')),
                    bundling={
                        "image": Runtime.RUBY_3_2.bundling_image,
                        "command": [
                            'bash', '-c',
                            ' && '.join([
                                'bundle config set path /asset-output/vendor/bundle',
                                'bundle install --without test development',
                                'cp -au functions/* /asset-output'
                            ])
                        ],
                    }
                ),
                environment={
                    "AUTHORISER_API_KEY_SECRET_ID": api_key_secret.secret_name
                },
                layers=[
                    LayerVersion.from_layer_version_arn(
                        self,
                        "DatadogGemLayer",
                        f"arn:aws:lambda:{Stack.of(self).region}:464622532012:layer:Datadog-Ruby3-2:22"
                    ),
                    LayerVersion.from_layer_version_arn(
                        self,
                        "DatadogExtensionLayer",
                        f"arn:aws:lambda:{Stack.of(self).region}:464622532012:layer:Datadog-Extension:56"
                    )
                ]
            )

[alextwoods]

Hmm - I did confirm the locations/versions of core and aws-eventstream on the Ruby 3.2 lambda env:

/var/runtime/ruby/3.2.0/gems/aws-sdk-core-3.191.2/lib/aws-sdk-core.rb
/var/runtime/ruby/3.2.0/gems/aws-eventstream-1.3.0/lib/aws-eventstream.rb

From the stack trace it does look like our code is loading aws-sdk-core from the same location, so I'm not certain why it wouldn't be able to find aws-eventstream. My best guess is that it could be related to the CDK code from asset or the lambda layers.

What is in the Gemfile you are using and does it include the SDK dependencies?

[cnorthwood]

it looks like this, I put the SDK dependencies into the development dependencies so they're available locally (for unit tests) but not installed in the bundle because it can rely on them in the environment for that. It could be something in the Datadog layers as they're 3rd parties...

source "https://rubygems.org"

group :development do
  gem "aws-sdk-core"
  gem "aws-sdk-secretsmanager"
  gem "datadog-lambda"
  gem "ddtrace"
end

group :test do
  gem "bundler-audit"
  gem "citizens-advice-style", github: "citizensadvice/citizens-advice-style-ruby", tag: "v11.0.0"
  gem "climate_control"
  gem "license_finder"
  gem "rspec"
  gem "rubocop", require: false
end

[alextwoods]

Can you try adding the gem "aws-sdk-secretsmanager" line to your Gemfile outside of the :development group?

[cnorthwood]

that does seem to work (as I'd expect, but I was surprised it didn't work in just the runtime! the Datadog layers might be interfering interestingly and I can dig into that)