Reputation: 31
AWS Lambda behind VPC times out when communicating with S3 even with endpoint
I have a lambda behind a VPC. When I try to get an S3 object, I get a "connect ETIMEDOUT" error. I set up an Endpoint and still have this problem.
I'm able to get the object if I remove the VPC so I know the VPC is the issue and not permissions.
I had already set up an Internet Gateway to communicate with the outside world (and I've confirmed that that works). Following Stack Overflow and these instructions(https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/), I created an Endpoint to Service "com.amazonaws.us-east-1.s3" with "Full Access" and associated it with the Route Table I had created to get outside-world access.
Screenshot of VPC Gateway Endpoint created
The VPC, the lambda and the S3 are all in the same region. (Lambda and S3 are created via SAM.)
I initially had default AWS and S3 objects. I've tried setting the region for both with no luck.
AWS.config.update({ region: 'us-east-1'});
const s3 = new AWS.S3({ region: 'us-east-1' });
const s3FileParams = {
Bucket: srcBucket,
Key: srcKey,
};
const resp = await s3.getObject(s3FileParams).promise();
I also tried explicitly setting the s3 endpoint as s3 = new AWS.S3({ endpoint: 'https://s3.us-east-1.amazonaws.com' });
Let me know any other information I can provide and thanks in advance.
Upvotes: 1
Views: 998
Answers (2)
Reputation: 31
The answer was item 3 in Greg's list above. I switched to a new security group that (for now) allowed all traffic to anything in the outbound rules and that solved my problem. (Now that I know there's a path forward, I can experiment with better outbound rules.)
Thanks to all! (And to the original folk who posted about VPC endpoints in other questions.)
Upvotes: 2
Reputation: 23473
Requirements for using an S3 Gateway Endpoint:
- Ensure that the endpoint policy allows the appropriate access to S3. This is required in addition to the Lambda's IAM permissions.
- Add an entry to the route table(s) used by any subnets needing to use the gateway.
- Ensure that the Lambda's security group allows outgoing HTTPS traffic to either the internet (0.0.0.0/0) or to the prefix list ID (pl-xxxxxxx) for S3 in your region.
- You must enable DNS resolution in your VPC. Enable the
enableDnsHostnamesandenableDnsSupportattributes on the VPC. - The S3 buckets being accessed must be in the same region as the VPC.
Upvotes: 2
Related Questions
- Adding AWS Lambda with VPC configuration causes timeout when accessing S3
- Lambda Timeout while communicating with S3
- Access AWS S3 from Lambda within VPC
- How to reach S3 from a nodejs lambda which is inside a VPC?
- AWS Lambda not reaching SSM service with VPC Endpoint
- Why does my Lambda function timeout connecting to SES VPC Endpoint?
- Unable to connect to S3 from Lambda/Python/Boto3 when VPC is enabled
- Can not access S3 via VPC endpoint in Lambda
- AWS Lambda + VPC Elastic IP Timeout
- AWS Lambda Function in VPC Not Working With S3 Endpoint