Can I access ziti services inside lambda/cloudrun?

Let's say I'm running a lambda(aws) or cloud run (gcp) and it is supposed to call one of my ziti services via http with ziti domain .

What are the patterns that can be adopted to make this work ?

Generally it does depend on what you're doing and how and i think you'll need to adopt an OpenZiti sdk. It's generally relatively easy to deploy that sort of solution on any compute anywhere.

There's a blog from a couple years ago that i think might help:

1 Like

I tried running the code in cloudrun where I would deploy the code zipped with tunnel.json (that has client identity)

and would run

@functions_framework.http  
def lambda_handler(request: flask.Request):
    if not os.path.exists("tunnel.json"):  
        download_file_from_s3("ziti/tunnel.json","tunnel.json")
    if os.path.exists("tunnel.json"):
        ## set the env ZITI_IDENTITIES
        os.environ["ZITI_IDENTITIES"] = "tunnel.json"
        print("ZITI_IDENTITIES",os.environ["ZITI_IDENTITIES"])
        print("Enrolled successfully")
        with openziti.monkeypatch():
            ## add retry logic
            retries = 0
            while retries < 10:
                try:
                    print(f"Attempt {retries + 1} to fetch data from the app.")
                    ## trace the requests
                    ## print the tunnel.json 
                    with open("tunnel.json", "r") as f:
                        print(f.read())

                    r = requests.get('http://testapp-app-c79824f1-8b5d-indexify.kloudsoft.co:8000/files/namespaces')
                    print(f"Response received with status code {r.status_code}")
                    print("json response is",r.json())
                    return {
                        'statusCode': 200,
                        'body': json.dumps(r.json())
                    }

                except Exception as e:
                    retries += 1
                    print(f"Attempt {retries} failed: {e}")
                    time.sleep(1)
        return jsonify({"error": "Failed to retrieve data after multiple attempts"}), 500            
    else:
        download_file_from_s3("ziti/tunnel.json","tunnel.json")

    return jsonify({"message": "Tunnel file not found, downloading..."}), 404  


When I run the same thing in local I get response

(indexify) ➜  terraform-ovh-trino git:(main) ✗ python3 ziti.py
Enrolled successfully
ZITI_IDENTITIES tunnel.json
200
{'namespaces': [{'name': 'dev', 'created_at': 1747208546854}]}
(47783)[        7.821]   ERROR ziti-sdk:channel.c:904 on_channel_connect_internal() ch[1] failed to connect to ER[router5] [-3008/unknown node or service]

I am making sure I'm passing identity json and also setting up the right environment variables for openziti sdk to use it not sure why its not calling the ziti api in cloud run

While it shows error

(47783)[        7.821]   ERROR ziti-sdk:channel.c:904 on_channel_connect_internal() ch[1] failed to connect to ER[router5] [-3008/unknown node or service]

that seems normal because it is even returned in my local but the difference is in local I also get response from api request and then there is this extra line of error message

My guess is that your routers are not advertising a globally resolvable address and the lambda can't connect to your routers. I don't think this is a ziti-thing, per-se, other than how you have the overlay configured.

I don't think we'll be able to really help you with that issue though. Check "router5" (or all your rotuers) and make sure they are all resolvable from anywhere.

But in other machines that runs python script instead of cloudrun can actually reach that service so I confirmed router is resolvable

I don't think I'll be able to help here. I don't know how your lambda/cloudrun are setup. If it's not resolving the rotuers, you could try an ip address. You might need to check the network policies etc. It doesn't sound like an OpenZiti problem to me, sounds like a firewall/security group sort of thing

OK , I do see

Uncaught signal: 11, pid=10, tid=10, fault_addr=68904613304592.

as well at times.

just curious , if experienced this ?