'Parameter Store request timing out inside of AWS Lambda
I'm attempting to access the AWS SSM Parameter store, like this article does. I have tested the lambda function locally and it works as expected. When pushed to AWS, however, the lambda fails when attempting to retreive the config; it times out:
{
"errorMessage": "2018-09-02T04:55:49.096Z 71a5006a-ae6c-11e8-9322-313ba5e28048 Task timed out after 6.01 seconds"
}
I have the following permissions added to my serverless.yml
. I have made it as unrestricted as possible to try to find where the error is. Additionally, the parameter is just a string, so it does not use KMS.
service: pwaer-messages-service
provider:
name: aws
runtime: nodejs8.10
vpc:
securityGroupIds:
- sg-222f126f
subnetIds:
- subnet-756aef12
- subnet-130f8f3d
environment:
NODE_ENV: ${opt:stage, 'dev'}
iamRoleStatements:
- Effect: 'Allow'
Action: 'ssm:**'
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:ssm'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'parameter/*'
functions:
receiveText:
handler: dist/receive.handler
events:
- http:
path: sms/parse
method: post
What am I missing?
Solution 1:[1]
Since mentioned Lambda doesn't have access to the public internet, to access AWS APIs please setup a VPC endpoint.
As per the description - "VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services".
For AWS Systems Manager follow this procedure - Setting Up VPC Endpoints for Systems Manager
Solution 2:[2]
This will happen if your Lambda is in a VPC. You need to do two things:
- Expose the aws ssm service as a VPC Endpoint (see @Lech Migdal's answer)
- the security group for the VPC Endpoint must associate with the security group of the lambda (or service) you wish you allow connectivity
- Add a self ingress rule for port 443 to the lambda's security group
CDK Example
const LambdaSecurityGroupIngressRule = new ec2.CfnSecurityGroupIngress(this, "LambdaSecurityGroupIngressRule", {
groupId: LambdaSecurityGroup.attrGroupId,
sourceSecurityGroupId: LambdaSecurityGroup.attrGroupId,
description: "Needed to connect to parameter store from lambda in VPC",
fromPort: 443,
ipProtocol: "tcp",
toPort: 443
})
LambdaSecurityGroupIngressRule.addDependsOn(S3IndexLambdasSecurityGroup)
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Lech Migdal |
Solution 2 |