1

When TLS is disabled, I can connect successfully through my lambda function using the same code as shown here - https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html#w139aac29c11c13b5b7

However, when I enable TLS and use the TLS enabled code sample from above link, my lambda function times out. I've downloaded rds combined ca pem file through wget and I am deploying the pem file along with my code to the AWS lambda.

This is the code where my execution stops and times out:

    caFilePath = "rds-combined-ca-bundle.pem"
    var connectionStringTemplate = "mongodb://%s:%s@%s:27017/dbname?ssl=true&sslcertificateauthorityfile=%s"
    var connectionURI = fmt.Sprintf(connectionStringTemplate, secret["username"], secret["password"], secret["host"], caFilePath)

    fmt.Println("Connection String", connectionURI)
    client, err := mongo.NewClient(options.Client().ApplyURI(connectionURI))
    if err != nil {
        log.Fatalf("Failed to create client: %v", err)
    }

I don't see any errors in the cloudwatch logs after the "Connection string" print.

Stennie
  • 63,885
  • 14
  • 149
  • 175
CM.
  • 670
  • 1
  • 6
  • 25

2 Answers2

1

I suspect Its an issue with your VPC design

Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC, check the last paragraph

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html

also, the below link is giving detailed instructions

https://blog.webiny.com/connecting-to-aws-documentdb-from-a-lambda-function-2b666c9e4402

AWS PS
  • 4,420
  • 1
  • 9
  • 22
  • If VPC is the case, shouldn't it fail when I connect without TLS enabled? I can connect to DocumentDB when TLS is disabled. – CM. Jan 02 '20 at 21:22
  • I understand you can connect with no TLS, try running > mongo --sslAllowInvalidHostnames --ssl --sslCAFile rds-combined-ca-bundle.pem --username --password – AWS PS Jan 02 '20 at 21:25
  • sorry, this is a test connection without lambda and make sure it's not Lambda related if you have a mongo client – AWS PS Jan 02 '20 at 21:39
  • Yes, I am able to connect from another client to DocumentDB cluster with TLS. It is Lambda related and can only connect from lambda when TLS is disabled – CM. Jan 02 '20 at 21:54
1

Can you try creating lambda test function using python and see if your having the issue

import pymongo
import sys

##Create a MongoDB client, open a connection to Amazon DocumentDB as a replica set and specify the read preference as secondary preferred
client = pymongo.MongoClient('mongodb://<dbusername>:<dbpassword>@mycluster.node.us-east-1.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred') 

##Specify the database to be used
db = client.test

##Specify the collection to be used
col = db.myTestCollection

##Insert a single document
col.insert_one({'hello':'Amazon DocumentDB'})

##Find the document that was previously written
x = col.find_one({'hello':'Amazon DocumentDB'})

##Print the result to the screen
print(x)

##Close the connection
client.close()
AWS PS
  • 4,420
  • 1
  • 9
  • 22