3

I'm facing one of these AWS Lambda node.js timeout when trying to access DynamoDB issues but the symptoms appear different and the solutions I found don't solve this issue.

Timeout is set to 5min, memory is set to 128MB but doesn't exceed 30MB usage.
IAM policies for the role are:

  • AWSLambdaFullAccess
  • AmazonDynamoDBFullAccess
  • AWSLambdaVPCAccessExecutionRole

The default VPC has 7 security groups and include the default security group with:

  • Inbound: All Traffic, All protocol, All port range,
  • Outbound: All Traffic, All protocol, All port range, 0.0.0.0/0

Here is the code:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB();

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

And the Outcome:

START RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Version: $LATEST
END RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba
REPORT RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba  Duration: 300000.91 ms  Billed Duration: 300000 ms  Memory Size: 128 MB Max Memory Used: 21 MB  
2017-02-25T15:21:21.778Z 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Task timed out after 300.00 seconds

The related node.js version issue solved here doesn't work for me and returns a "ReferenceError: https is not defined at exports.handler (/var/task/index.js:6:16)". Also AWS has deprecated version 0.10.
Here is the code with the https reference:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB({
  httpOptions: {
    agent: new https.Agent({
      rejectUnauthorized: true,
      secureProtocol: "TLSv1_method",
      ciphers: "ALL"
    })
  }
});

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

Outcome:

START RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Version: $LATEST
2017-02-24T22:27:31.010Z    6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb    ReferenceError: https is not defined
    at exports.handler (/var/task/index.js:6:16)
END RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb
REPORT RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb  Duration: 81.00 ms  Billed Duration: 100 ms     Memory Size: 128 MB Max Memory Used: 26 MB  
RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Process exited before completing request

With a timeout set to 5min I can't believe that AWS wouldn't be able to return the list of tables in the allocated timeframe and permission issues typically appear in the logs.

Thanks for looking into this.

Community
  • 1
  • 1
prg281
  • 41
  • 1
  • 2
  • Update: using "No VPC" allows for proper completion so it is definitely a VPC issue: START RequestId: 11930536-fb72-11e6-a386-25115dc82eee Version: $LATEST END RequestId: 11930536-fb72-11e6-a386-25115dc82eee REPORT RequestId: 11930536-fb72-11e6-a386-25115dc82eee Duration: 978.54 ms Billed Duration: 1000 ms Memory Size: 128 MB Max Memory Used: 28 MB How can I troubleshoot the VPC mis-configurations? – prg281 Feb 25 '17 at 15:52
  • Obviously the VPC is your real issue, but regarding the `https is not defined` issue, you just need to add `var https = require('https')` to the top of your file. – idbehold Feb 25 '17 at 16:20
  • 1
    Does the VPC that you're running this Lambda function in have a NAT gateway? Can instances in your selected VPC & subnet that only have private IPs actually route to the internet? – jarmod Feb 25 '17 at 16:27
  • Thanks @idbehold; i'll try that. – prg281 Feb 25 '17 at 20:15
  • @jarmod: there is no NAT -would I simply need a NAT to the internet? – prg281 Feb 25 '17 at 20:18
  • See http://docs.aws.amazon.com/lambda/latest/dg/vpc.html#vpc-internet - if your Lambda function requires Internet access (for example, to access AWS services that don't have VPC endpoints, such as Amazon Kinesis), you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway. – jarmod Feb 26 '17 at 01:19

2 Answers2

3

I guess your Lambda is in a private subnet. In this case by default your Lambda will not have outbound internet access. You need to create a NAT Gateway or NAT Instance to let VPC protected resources to access outside Internet. DynamoDB API is outside Internet from VPC point of view.

Cagatay Gurturk
  • 7,186
  • 3
  • 34
  • 44
3

You no longer need to create a NAT gateway/instance

You can create a VPC Endpoint for Dynamo DB which will open Lambda in the private subnet to access Dynamo. Create an endpoint in your VPC that aligns to the VPC/subnet setup you have for lambda and you will have no issues with access.

You can limit access to specific services or resources.

https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/

This can be done for any global AWS service, S3 etc

EoinS
  • 5,405
  • 1
  • 19
  • 32