bug: When using localstack with serverless always got Invalid token

[xochilpili]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Receiving "The security token included in the request is invalid." error when trying to access SSM Parameters from Serverless lambda in Typescript project.

Expected Behavior

Read correctly SSM parameters.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

docker-composer:

version: '3'

services:
    localstack:
      network_mode: bridge
      image: localstack/localstack:latest
      container_name: localstack
      environment:
       - SERVICES=secretsmanager,ssm,events
       - PERSISTENCE=1
      ports:
        - 4566:4566
        - 4510-4559:4510-4559
      volumes_from:
        - data:rw
    mongo:
      image: mongo:4.4.16
      container_name: workflows_mongo
      environment:
        - MONGO_INITDB_DATABASE=agentcollab
      volumes_from:
        - data:rw
      ports:
        - 27017:27017
    data:
      image: debian:wheezy
      command: /bin/true
      volumes:
        - /data/db

serverless.ts

import type { AWS } from '@serverless/typescript';
const serverlessConfiguration: AWS = {
	service: 'test-serverless',
	frameworkVersion: '3',
	plugins: ['serverless-esbuild', 'serverless-localstack', 'serverless-offline'],
	provider: {
		name: 'aws',
		stage: 'dev',
		runtime: 'nodejs14.x',
		profile: 'local', 
		apiGateway: {
			minimumCompressionSize: 1024,
			shouldStartNameWithService: true,
		},
		environment: {
			AWS_NODEJS_CONNECTION_REUSE_ENABLED: '1',
			NODE_OPTIONS: '--enable-source-maps --stack-trace-limit=1000',
		},
	},
	// import the function via paths
	functions: {
		profile: {
			handler: 'src/lambdas/second_service/index.handler',
			events: [
				{
					http: {
						method: 'POST',
						path: '/profile',
					},
				},
			],
		},
	},
	package: { individually: true },
	custom: {
		localstack: {
			stages: ['dev'],
			host: 'http://localhost:4566',
		},
		esbuild: {
			bundle: true,
			minify: false,
			sourcemap: true,
			exclude: ['aws-sdk'],
			target: 'node14',
			define: { 'require.resolve': undefined },
			platform: 'node',
			concurrency: 10,
		},
	},
};
module.exports = serverlessConfiguration;

Creating a new SSM Parameter using:

aws --endpoint-url=http://localhost:4566 ssm put-parameter --name "/secure/aue1/d1/agentcollab/mongo_url" --type String --value "mongodb://localhost:27017/agentcollab" --overwrite --region 'us-east-1'

From terminal when getting SSM Parameters:

aws ssm get-parameters --names "/secure/aue1/d1/agentcollab/mongo_url" --endpoint-url http://127.0.0.1:4566 --region 'us-east-1'

Got:

{
    "Parameters": [
        {
            "Name": "/secure/aue1/d1/agentcollab/mongo_url",
            "Type": "String",
            "Value": "mongodb://localhost:27017/agentcollab",
            "Version": 1,
            "LastModifiedDate": "2024-01-31T17:19:36.092000-06:00",
            "ARN": "arn:aws:ssm:us-east-1:000000000000:parameter/secure/aue1/d1/agentcollab/mongo_url",
            "DataType": "text"
        }
    ],
    "InvalidParameters": []
}

Lambda:

const service: Handler = async (event: APIGatewayProxyEvent): Promise<LambdaResponse> => {
	try {
		const ssm = new SSM();
		const result = await ssm.getParameter({ Name: '/secure/aue1/d1/agentcollab/mongo_url', WithDecryption: true }).promise();
		console.log('ssm', result.Parameter?.Value);
		return { statusCode: 200, body: "always wrong"}
	} catch (error) {
		console.log(error);
	}
};
export const handler = middyfy(service);

Starting offline :
serverless offline start

Then test the lamda with:
curl -X POST http://localhost:3000/dev/profile -d '"{"name": "fake"}"'
And the result is:
UnrecognizedClientException: The security token included in the request is invalid.

aws/credentials:

[local]
region=us-east-1
aws_access_key_id = test
aws_secret_access_key = test

Environment

- OS: Fedora 38
- LocalStack: latest

Anything else?

No response

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

[joe4dev]

Hi @xochilpili

Your Lambda function is likely trying to connect to real AWS instead of LocalStack because the JavaScript AWS SDK does is not configured to connect to LocalStack. Please checkout our JavaScript AWS SDK documentation for examples depending on your SDK version.
With our localstack-pro image, you could use Transparent Endpoint Injection.

Configuration:

• PERSISTENCE=1 only works with our localstack-pro image
• SERVICES=secretsmanager,ssm,events can be removed until you want to enforce only loading these services. See our Configuration documentation.

Networking:
The blog post How we are making connecting to LocalStack easier could help to facilitate your networking setup.

Is there a particular reason why you are using serverless-offline? Could LocalStack be used instead?

[localstack-bot]

Hello 👋! It looks like this issue hasn’t been active in longer than two weeks. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.