3

I'm facing one of these AWS Lambda node.js timeout when trying to access DynamoDB issues but the symptoms appear different and the solutions I found don't solve this issue.

Timeout is set to 5min, memory is set to 128MB but doesn't exceed 30MB usage.
IAM policies for the role are:

  • AWSLambdaFullAccess
  • AmazonDynamoDBFullAccess
  • AWSLambdaVPCAccessExecutionRole

The default VPC has 7 security groups and include the default security group with:

  • Inbound: All Traffic, All protocol, All port range,
  • Outbound: All Traffic, All protocol, All port range, 0.0.0.0/0

Here is the code:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB();

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

And the Outcome:

START RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Version: $LATEST
END RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba
REPORT RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba  Duration: 300000.91 ms  Billed Duration: 300000 ms  Memory Size: 128 MB Max Memory Used: 21 MB  
2017-02-25T15:21:21.778Z 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Task timed out after 300.00 seconds

The related node.js version issue solved here doesn't work for me and returns a "ReferenceError: https is not defined at exports.handler (/var/task/index.js:6:16)". Also AWS has deprecated version 0.10.
Here is the code with the https reference:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB({
  httpOptions: {
    agent: new https.Agent({
      rejectUnauthorized: true,
      secureProtocol: "TLSv1_method",
      ciphers: "ALL"
    })
  }
});

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

Outcome:

START RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Version: $LATEST
2017-02-24T22:27:31.010Z    6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb    ReferenceError: https is not defined
    at exports.handler (/var/task/index.js:6:16)
END RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb
REPORT RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb  Duration: 81.00 ms  Billed Duration: 100 ms     Memory Size: 128 MB Max Memory Used: 26 MB  
RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Process exited before completing request

With a timeout set to 5min I can't believe that AWS wouldn't be able to return the list of tables in the allocated timeframe and permission issues typically appear in the logs.

Thanks for looking into this.

Improve this question
6
  • Update: using "No VPC" allows for proper completion so it is definitely a VPC issue: START RequestId: 11930536-fb72-11e6-a386-25115dc82eee Version: $LATEST END RequestId: 11930536-fb72-11e6-a386-25115dc82eee REPORT RequestId: 11930536-fb72-11e6-a386-25115dc82eee Duration: 978.54 ms Billed Duration: 1000 ms Memory Size: 128 MB Max Memory Used: 28 MB How can I troubleshoot the VPC mis-configurations? Commented Feb 25, 2017 at 15:52
  • Obviously the VPC is your real issue, but regarding the https is not defined issue, you just need to add var https = require('https') to the top of your file. Commented Feb 25, 2017 at 16:20
  • 1
    Does the VPC that you're running this Lambda function in have a NAT gateway? Can instances in your selected VPC & subnet that only have private IPs actually route to the internet? Commented Feb 25, 2017 at 16:27
  • Thanks @idbehold; i'll try that. Commented Feb 25, 2017 at 20:15
  • @jarmod: there is no NAT -would I simply need a NAT to the internet? Commented Feb 25, 2017 at 20:18

2 Answers 2

Reset to default
3

I guess your Lambda is in a private subnet. In this case by default your Lambda will not have outbound internet access. You need to create a NAT Gateway or NAT Instance to let VPC protected resources to access outside Internet. DynamoDB API is outside Internet from VPC point of view.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

You no longer need to create a NAT gateway/instance

You can create a VPC Endpoint for Dynamo DB which will open Lambda in the private subnet to access Dynamo. Create an endpoint in your VPC that aligns to the VPC/subnet setup you have for lambda and you will have no issues with access.

You can limit access to specific services or resources.

https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/

This can be done for any global AWS service, S3 etc

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.