Internal Server Error on deployed Zappa app

Question

I have managed to deploy a simple hello world app with zappa, however when I visit the URL the app is deployed to all I get is:

{"message": "Internal server error"}

When I tried to run zappa tail production I receive the error:

botocore.errorfactory.ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the DescribeLogStreams operation: The specified log group does not exist.

I'm running windows 10, python 3.6 and zappa 0.45.1

The virtual environment uses:

argcomplete==1.9.2
base58==0.2.4
boto3==1.7.5
botocore==1.10.5
certifi==2018.4.16
cfn-flip==1.0.3
chardet==3.0.4
click==6.7
docutils==0.14
durationpy==0.5
Flask==0.12.2
future==0.16.0
hjson==3.0.1
idna==2.6
itsdangerous==0.24
Jinja2==2.10
jmespath==0.9.3
kappa==0.6.0
lambda-packages==0.19.0
MarkupSafe==1.0
placebo==0.8.1
python-dateutil==2.6.1
python-slugify==1.2.4
PyYAML==3.12
requests==2.18.4
s3transfer==0.1.13
six==1.11.0
toml==0.9.4
tqdm==4.19.1
troposphere==2.2.1
Unidecode==1.0.22
urllib3==1.22
virtualenv==15.2.0
Werkzeug==0.14.1
wsgi-request-logger==0.4.6
zappa==0.45.1

My app.py looks like:

from flask import Flask

app = Flask(__name__)

@app.route('/', methods=['GET'])
def helloworld(event=None, context=None):

    return 'hello from Flask!'

if __name__ == '__main__':
    app.run()

my zappa_settings.json is:

{
    "production": {
        "app_function": "app.app",
        "aws_region": "us-west-2",
        "profile_name": "default",
        "project_name": "zappa-test",
        "runtime": "python3.6",
        "s3_bucket": "zappa-ds-app-0000",
        "manage_roles": false,
        "role_name":"zappa-datascience",
        "keep_warm": false
    }
}

Answer 1

Resolved the issue, the apigateway wasn't creating the log groups because it didn't have sufficient permission. I added the zappa role I created in AWS API Gateway > settings, "CloudWatch log role ARN".

Answer 2

You are managing your own roles. Almost certainly, you did not give Zappa permission to do something it needs to do. Apparently, one thing it doesn't have permission to do is create the log group it wants to, which follows a naming convention based (IIRC) on the directory name and the Zappa profile name (production).

If you remove manage_roles and role_name, you'll get a user that has all the permissions that Zappa needs and then some. You can then start removing them until you have a minimal set of requirements.

After some trial and error, I found that the following was the good minimum set for a basic application.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:CreateExportTask",
                "logs:PutDestination",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:xxxxxxxxxxxxxxxxxxxx:log-group:/aws/lambda/projectname-profilename:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:us-east-1:xxxxxxxxxxxxxxx:function:projectname-profilename"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Lambda also needs to be able to assume this profile in order to run. So you must also edit your trust relationships:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "s3.amazonaws.com",
          "events.amazonaws.com",
          "apigateway.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If you have to talk to a database server, be sure to assign a VPC and security group as well.