0

I have a Lambda function that invokes after an S3 object put. It connecting to another EC2 instance and running a bash script. I've confirmed the bash script, and Python code outside of the lambda function work as they should. Wrapping it however produces the same error that I can't figure out. The role attached to the lambda appears to have all required EC2 and S3 required policies attached. No VPC is attached to the lambda function either.

Code:

import boto3
import botocore
import paramiko

def lambda_handler(event, context):
    s3_client = boto3.client('s3')
    s3_client.download_file('mycluster', 'keys/ec2box.pem', 
    '/tmp/ec2box.pem')

    k = paramiko.RSAKey.from_private_key_file('/tmp/ec2box.pem')
    c = paramiko.SSHClient()
    c.set_missing_host_key_policy(paramiko.AutoAddPolicy())

    c.connect(hostname='99.99.9999', username='centos', pkey=k)

    commands = [
        "cd /home/dir1/;chmod +x file.sh;nohup ./file.sh > logs/program"
    ]
    for command in commands:
        print
        "Executing {}".format(command)
        stdin, stdout, stderr = c.exec_command(command)
        print
        stdout.read()
        print
        stderr.read()

    return
    {
        'message': "Script execution completed. See Cloudwatch logs for complete output"
    }

My Error

[Errno 110] Connection timed out: error
Traceback (most recent call last):
File "/var/task/pythonprogram.py", line 17, in lambda_handler
c.connect(hostname='99.99.9999', username='centos', pkey=k)
File "/var/task/paramiko/client.py", line 338, in connect
retry_on_signal(lambda: sock.connect(addr))
File "/var/task/paramiko/util.py", line 279, in retry_on_signal
return function()
File "/var/task/paramiko/client.py", line 338, in <lambda>
retry_on_signal(lambda: sock.connect(addr))
File "/usr/lib64/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
error: [Errno 110] Connection timed out

Any ideas?

DataDog
  • 475
  • 1
  • 9
  • 23

2 Answers2

1

Figured it out, and honestly this was so blatantly obvious but hopefully it helps a Googler. Look at the security groups of the EC2 instance you're SSHing to and be sure it's actually open. Mine was locked down fairly tight and all I had to do was add a new TCP inbound rule to allow the traffic that was needed.

DataDog
  • 475
  • 1
  • 9
  • 23
  • So your SSH server was actually not working at all? => Your question is not about Python, Paramiko nor Lambda? – Martin Prikryl Aug 20 '18 at 17:38
  • 2
    My question was in regards to all three hence the lambda function kicking back an error within the python code in regards to the paramiko line. This does not necessarily mean that's the only thing that could have gone wrong hence why it was also tagged with amazon-web-services as well as amazon-ec2. – DataDog Aug 20 '18 at 18:18
0

Connecting to an EC2 by lambda supports --vpc-config to be specified for the connecting lambda. The subnets and security groups from ec2 must be specified in the vpc-config configuration parameter for lambda as follows -

--vpc-config SubnetIds=subnet-7cX8eX37,subnet-1X3fX935,SecurityGroupIds=secrgp-l-pocinstance,secgrp-x-geninstance

You can do this using the User Interface as well. (Please Scroll Down)

enter image description here

After setting these same as the AWS target resource you are trying to access inside lambda. the Connection should work.

Hope it helps!

Community
  • 1
  • 1
nitinr708
  • 1,393
  • 2
  • 19
  • 29