'Parameter Store request timing out inside of AWS Lambda

I'm attempting to access the AWS SSM Parameter store, like this article does. I have tested the lambda function locally and it works as expected. When pushed to AWS, however, the lambda fails when attempting to retreive the config; it times out:

{
    "errorMessage": "2018-09-02T04:55:49.096Z 71a5006a-ae6c-11e8-9322-313ba5e28048 Task timed out after 6.01 seconds"
}

I have the following permissions added to my serverless.yml. I have made it as unrestricted as possible to try to find where the error is. Additionally, the parameter is just a string, so it does not use KMS.

service: pwaer-messages-service

provider:
  name: aws
  runtime: nodejs8.10
  vpc:
    securityGroupIds:
      - sg-222f126f
    subnetIds:
      - subnet-756aef12
      - subnet-130f8f3d
  environment:
    NODE_ENV: ${opt:stage, 'dev'}

  iamRoleStatements:
    - Effect: 'Allow'
      Action: 'ssm:**'
      Resource:
        - 'Fn::Join':
          - ':'
          -
            - 'arn:aws:ssm'
            - Ref: 'AWS::Region'
            - Ref: 'AWS::AccountId'
            - 'parameter/*'

functions:
  receiveText:
    handler: dist/receive.handler
    events:
      - http:
          path: sms/parse
          method: post

What am I missing?



Solution 1:[1]

Since mentioned Lambda doesn't have access to the public internet, to access AWS APIs please setup a VPC endpoint.

As per the description - "VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services".

For AWS Systems Manager follow this procedure - Setting Up VPC Endpoints for Systems Manager

Solution 2:[2]

This will happen if your Lambda is in a VPC. You need to do two things:

  1. Expose the aws ssm service as a VPC Endpoint (see @Lech Migdal's answer)
  • the security group for the VPC Endpoint must associate with the security group of the lambda (or service) you wish you allow connectivity
  1. Add a self ingress rule for port 443 to the lambda's security group

CDK Example

const LambdaSecurityGroupIngressRule = new ec2.CfnSecurityGroupIngress(this, "LambdaSecurityGroupIngressRule", {
  groupId: LambdaSecurityGroup.attrGroupId,
  sourceSecurityGroupId: LambdaSecurityGroup.attrGroupId,
  description: "Needed to connect to parameter store from lambda in VPC",
  fromPort: 443,
  ipProtocol: "tcp",
  toPort: 443
})

LambdaSecurityGroupIngressRule.addDependsOn(S3IndexLambdasSecurityGroup)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Lech Migdal
Solution 2