Fix deployment from MacOS and other non-Linux/x86_64 hosts#167
Open
matthewhall79 wants to merge 1 commit into
Open
Fix deployment from MacOS and other non-Linux/x86_64 hosts#167matthewhall79 wants to merge 1 commit into
matthewhall79 wants to merge 1 commit into
Conversation
User Docker or Podman to build a Lambda-compatible layer on non linux/amd64 hosts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This fixes a deployment issue in the v2 stack where Lambda layer dependencies are built on the local host, which can produce incompatible native binaries for AWS Lambda. In practice, this breaks JWT verification in the API authorizer when
cryptographyis installed from a non-Linux environment, causing the authorizer to fail at import time and return Deny.The change updates
deploy-v2.shto build layer dependencies in a Lambda-compatible container by default.Root Cause
#164 added RS256 JWT verification with
pyjwt[crypto]/cryptography. Those packages include native components. The existing deploy flow installed layer dependencies directly on the machine running the deploy script, which is not safe on Mac OS or other non-Linux/x86_64 environments. This produced runtime errors like the following inside the API authorizer path, which then fell back to a deny policy and caused authenticated API requests to fail.Fix Description
install_lambda_layer_dependencies()helper todeploy-v2.sh.public.ecr.aws/lambda/python:3.10linux/amd64License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.