Lambda can't execute putjobSuccess for CodePipeline inside a VPC

Question

I'm trying to create a Lambda function that works with CodePipeline. The issue is that it can't send the job success info to CodePipeline. I'm using the javascript aws-sdk and the function putJobSuccessResult from the AWS.CodePipeline objects don't execute fine in production.

const AWS = require('aws-sdk');

const codepipeline = new AWS.CodePipeline();

exports.config = (event, context) => {
  // Retrieve the Job ID from the Lambda action
  const jobId = event['CodePipeline.job'].id;

  return codepipeline.putJobSuccessResult({ jobId }).promise();
};

This code works fine locally when I put the jobId of my pipeline but when I upload the code on the AWS Console and run the pipeline, it doesn't work anymore.

Here is the IAM Configuration for the Lambda specific to CodePipeline part:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "codepipeline:PutJobSuccessResult",
                "codepipeline:PutJobFailureResult"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Do you have any ideas about why it doesn't work on the cloud ?

Answer 1

A very likely reason why your lambda in VPC timeouts is that it has no internet access since it does not have public IP. From docs:

Connect your function to private subnets to access private resources. If your function needs internet access, use NAT. Connecting a function to a public subnet does not give it internet access or a public IP address.

To rectify the issue, the following should be checked:

• is lambda in a private subnet
• is there a NAT gateway/instance in a public subnet
• are route tables correctly configured from private subnet to the NAT device to enable internet access

Alternatively, can consider using (or check if exists) a VPC interface endpoint for CodePiepline. The interface, if correctly setup, can enable access to the CodePipeline from lambda function without internet.