Zappa VS serverless-python-requirements

Another alternative is Zappa which is built-in Python Serverless Framework and it serves only that runtime on AWS.

Also, Zappa core team is looking for contributors to manage the project. I don't know why someone would leave a project like this. It had nearly 12k stars on original repo here https://github.com/Miserlou/Zappa and has around 1.7k on the new one.

I used to work for a startup that quickly grew to become one of the biggest Lambda users in my country (according to AWS). The entire business was serverless, not just Lambda but backend DynamoDB, APIGW, Cloudfront, etc. There was maybe 2 EC2 instances in the whole company.

Having seen what that model of development can do from an operational/security/agility/scalability/efficiency perspective, I think the comments on HN about serverless saying "it's just CGI" or that they could do something similar without vendor lockin are honestly laughably ignorant. If you haven't messed with Zappa (https://github.com/Miserlou/Zappa) or Serverless Framework (https://www.serverless.com/) at least a little you are missing out.

I'm using the Zappa framework https://github.com/Miserlou/Zappa with Python and Flask on AWS Lambda. When it raises an exception it appears in the CloudWatch log but is illegible to me. I do get a normal Flask stack trace returned from a HTTP GET in debug builds however.

I have a Python 3.6 - Flask application deployed onto AWS Lambda using Zappa, in which I have an asynchronous task execution function defined using @Task as discussed here

The only similar issue I can find in my Google searches is this page, but I don't know if it's the same issue and the discussion there is going over my head.

Hi u/appliku I think Zappa has been moved from https://github.com/Miserlou/Zappa repo to its own repo and account https://github.com/zappa/Zappa Also, they released version 0.54.0 (Minor version) on Oct 14.

I like deploying on AWS Fargate or AWS Lambda using zappa for very low-cost deployments. Because Lambda has a (always) free tier usage, you can get away with hosting many sites for next-to-nothing with Zappa.

Depending on what you need zappa (https://github.com/Miserlou/Zappa) allows you to run Django in aws lambda which is very cheap (read practically free).

As a Python developer, you probably want to install packages and have your requirements.txt ready. You definitely will require the Serverless Requirements-Plugin

But there is a much better way. In this post, I’ll show you a how, by using the serverless-python-requirements plugin for the Serverless Framework.

Originally posted at Serverless Building web API backends is one of the most popular use cases for Serverless applications. You get the benefit of a simple, scalable backend without the operations overhead. However, if you have a web page that’s making calls to a backend API, you’ll have to deal with the dreaded Cross-Origin Resource Sharing, or CORS. If your web page makes an HTTP request to a different domain than you’re currently on, it needs to be CORS-friendly. If you’ve ever found yourself with the following error: No ‘Access-Control-Allow-Origin’ header is present on the requested resource then this page is for you! In this post, we’ll cover all you need to know about Serverless + CORS. If you don’t care about the specifics, hit the TL;DR section below. Otherwise, we’ll cover: Preflight requests Response headers CORS with custom authorizers CORS with cookie credentials Let’s get started! TL;DR If you want the quick and dirty way to solve CORS in your Serverless application, do this. To handle preflight requests, add the cors: true flag to each HTTP endpoint in your serverless.yml: To handle the CORS headers, return the CORS headers in your response. The main headers are Access-Control-Allow-Origin and Access-Control-Allow-Credentials. You can use the example below, or check out the middleware libraries discussed below to help with this: If you’re using a custom authorizer, you’ll need to add the following CloudFormation in your resources block of serverless.yml: ### CORS Preflight Requests If you’re not making a “simple request”, your browser will send a preflight request to the resource using the OPTIONS method. The resource you're requesting will return with methods that are safe to send to the resource and may optionally return the headers that are valid to send across. Let’s break that down. When does my browser send a preflight request? Your browser will send a preflight request on almost all cross-origin requests. (The exceptions are “simple requests”, but it’s a pretty narrow subset of requests.) Basically, a simple request is only a GET request or a POST request with form data that has no authentication. If you're outside of that, it will need a preflight. If you use a PUT or DELETE request, it will send a preflight. If you use a Content-Type header outside of application/x-www-form-urlencoded, multipart/form-data, or text/plain, it will send a preflight. If you include any headers outside some very basic ones, such as Authentication headers, it will send a preflight. What’s in the response to the preflight request? The response to a preflight request includes the domains it allows to access the resources and the methods it allows at that resource, such as GET, POST, PUT, etc. It may also include headers that are allowed at that resource, such as Authentication. How do I handle preflight requests with Serverless? To set up the preflight response, you’ll need to configure an OPTIONS method handler at your endpoint in API Gateway. Fortunately, this is very simple with the Serverless Framework. Simply add cors: true to each endpoint in your serverless.yml: This configures API Gateway to allow any domain to access, and it includes a basic set of allowed headers. If you want additional customization (advanced usage only), it will look like this: CORS Response Headers While the preflight request only applies to some cross-origin requests, the CORS response headers must be present in every cross-origin request. This means you must add the Access-Control-Allow-Origin header to your responses in your handlers. If you’re using cookies or other authentication, you’ll also need to add the Access-Control-Allow-Credentials header to your response. To match the serverless.yml in the section above, your handler.js file should look like: Note how the response object has a headers property, which contains an object with Access-Control-Allow-Origin and Access-Control-Allow-Credentials. It can be a real pain to add these headers everywhere in your function, particularly if you have multiple logical paths. Luckily, there are some nice tools to help with this! If you use Javascript, check out the Middy middleware engine for use with Lambda. It has a lot of nice middlewares that handle the boring boilerplate of your Lambda functions. One is the cors middleware, which automatically adds CORS headers to your functions. A basic example looks like this: Perfect — automatic CORS headers! Check out the whole Middy library for lots of other nice utilities. If you’re a Pythonista, Daniel Schep has made a nice lambda-decorators library with the same goals as Middy—replacing Lambda boilerplate. Here’s an example of using it in your Python functions: Note: Daniel is the creator of the serverless-python-requirements package, which you should absolutely be using if you're writing Lambda functions in Python. Check out our previous blog post on Python packaging. CORS with custom authorizers Custom authorizers allow you to protect your Lambda endpoints with a function that is responsible for handling authorization. If the authorization is successful, it will forward the request onto the Lambda handler. If it’s unsuccessful, it will reject the request and return to the user. The CORS difficulty lies in the second scenario — if you reject an authorization request, you don’t have the ability to specify the CORS headers in your response. This can make it difficult for the client browser to understand the response. To handle this, you’ll need to add a custom GatewayResponse to your API Gateway. You’ll add this in the resources block of your serverless.yml: This will ensure that the proper response headers are returned from your custom authorizer rejecting an authorization request. CORS with Cookie credentials Note: This section was added on January 29, 2018 thanks to a request from Alex Rudenko. Hat tip to Martin Splitt for a great article on this issue. In the examples above, we’ve given a wildcard “” as the value for the Access-Control-Allow-Origin header. However, if you're making a request using credentials, the wildcard value is not allowed. For your browser to make use of the response, the Access-Control-Allow-Origin response headers *must include the specific origin that made the request. There are two ways you can handle this. First, if you only have one origin website that’s making the request, you can just hardcode that into your Lambda function’s response: If you have multiple origin websites that may be hitting your API, then you’ll need to do a more dynamic approach. You can inspect the origin header to see if its in your list of approved origins. If it is, return the origin value in your Access-Control-Allow-Origin header: In this example, we check if the origin header matches one of our allowed headers. If so, we include the specific origin in our Access-Control-Allow-Origin header, and we state that Access-Control-Allow-Credentials are allowed. If the origin is not one of our allowed origins, we include the standard headers which will be rejected if the origin attempts a credentialed request. Conclusion CORS can be a pain, but there are a few straightforward steps you can take to make it much easier to deal with. You know what that means. Goodbye forever, inexplicable No 'Access-Control-Allow-Origin' header is present on the requested resource error. 👋