"get_secret_value" timeout in lambda in VPC, even though lambda is connected to internet

Question

def get_secret():
    secret_name = "--secret-name-here--"
    region_name = "--region-here--"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    print("B")
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )
    print(client)
    # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    # We rethrow the exception by default.

    try:
        print("D")
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
        print("E")

I'm trying to access a secret in SecretsManager from a lambda that's within a VPC. The lambda has been configured with a NAT gateway so it is able to reach the public internet. I've tested this with a requests.get call.

client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

This part runs just fine and I get back a SecretsManager client. However...

get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )

This section times out. The lambda has these permissions: GetSecretValue, DescribeSecret, ListSecretVersionIds on the relevant resource, so I'm not sure what's going on. Any help is appreciated!

Answer 1

A Lambda function in a VPC does not have Internet access, because it is never assigned a public IP. The AWS SecretsManager API is on the public Internet, not in your VPC, so by default your Lambda function in a VPC can't access AWS SecretsManager.

You have two options:

• Only deploy the Lambda function in VPC subnets that have a route to a NAT Gateway.
• Add a SecretsManager VPC endpoint to your VPC.