'Parameter Store request timing out inside of AWS Lambda

I'm attempting to access the AWS SSM Parameter store, like this article does. I have tested the lambda function locally and it works as expected. When pushed to AWS, however, the lambda fails when attempting to retreive the config; it times out: 

{
    "errorMessage": "2018-09-02T04:55:49.096Z 71a5006a-ae6c-11e8-9322-313ba5e28048 Task timed out after 6.01 seconds"
}

I have the following permissions added to my serverless.yml. I have made it as unrestricted as possible to try to find where the error is. Additionally, the parameter is just a string, so it does not use KMS.

service: pwaer-messages-service

provider:
  name: aws
  runtime: nodejs8.10
  vpc:
    securityGroupIds:
      - sg-222f126f
    subnetIds:
      - subnet-756aef12
      - subnet-130f8f3d
  environment:
    NODE_ENV: ${opt:stage, 'dev'}

  iamRoleStatements:
    - Effect: 'Allow'
      Action: 'ssm:**'
      Resource:
        - 'Fn::Join':
          - ':'
          -
            - 'arn:aws:ssm'
            - Ref: 'AWS::Region'
            - Ref: 'AWS::AccountId'
            - 'parameter/*'

functions:
  receiveText:
    handler: dist/receive.handler
    events:
      - http:
          path: sms/parse
          method: post

What am I missing?

aws-lambdaserverless-frameworkserverless


Solution 1:[1]

Since mentioned Lambda doesn't have access to the public internet, to access AWS APIs please setup a VPC endpoint.

As per the description - "VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services".

For AWS Systems Manager follow this procedure - Setting Up VPC Endpoints for Systems Manager

Solution 2:[2]

This will happen if your Lambda is in a VPC. You need to do two things:

  1. Expose the aws ssm service as a VPC Endpoint (see @Lech Migdal's answer)
  • the security group for the VPC Endpoint must associate with the security group of the lambda (or service) you wish you allow connectivity
  1. Add a self ingress rule for port 443 to the lambda's security group

CDK Example

const LambdaSecurityGroupIngressRule = new ec2.CfnSecurityGroupIngress(this, "LambdaSecurityGroupIngressRule", {
  groupId: LambdaSecurityGroup.attrGroupId,
  sourceSecurityGroupId: LambdaSecurityGroup.attrGroupId,
  description: "Needed to connect to parameter store from lambda in VPC",
  fromPort: 443,
  ipProtocol: "tcp",
  toPort: 443
})

LambdaSecurityGroupIngressRule.addDependsOn(S3IndexLambdasSecurityGroup)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Lech Migdal
Solution 2

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function