Skip to main content
AI Assist is now on Stack Overflow. Start a chat to get instant answers from across the network. Sign up to save and share your chats.

Return to Question

edited tags
Link
John Rotenstein
John Rotenstein
  • 272.9k
  • 28
  • 456
  • 541
Source Link
Mihails Kuzmins
Mihails Kuzmins
  • 81
  • 6

AWS: cannot connect to SSM from Lambda inside VPC

My Lambda is located in VPC (I can access Redis that is inside VPC), but I also need to access SSM - getParameter, but I get a timeout exception.

Code: ※ It used to work until I put it inside the VPC.

final ClientOverrideConfiguration configuration = ClientOverrideConfiguration.builder() .apiCallTimeout(Duration.ofSeconds(5L)) .apiCallAttemptTimeout(Duration.ofSeconds(5L)) .build(); final SsmClient ssmClient = SsmClient.builder() .overrideConfiguration(configuration) .endpointOverride(URI.create("https://my-endpoint-here.amazonaws.com")) .build(); final GetParameterRequest request = GetParameterRequest.builder() .name(key) .build(); final GetParameterResponse response = ssmClient.getParameter(request); return response.parameter().value();

Exception:

software.amazon.awssdk.core.exception.ApiCallTimeoutException: Client execution did not complete before the specified timeout configuration: 5000 millis at software.amazon.awssdk.core.exception.ApiCallTimeoutException$BuilderImpl.build(ApiCallTimeoutException.java:106) at software.amazon.awssdk.core.exception.ApiCallTimeoutException.create(ApiCallTimeoutException.java:38) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.generateApiCallTimeoutException(ApiCallTimeoutTrackingStage.java:156) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.handleInterruptedException(ApiCallTimeoutTrackingStage.java:144) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.translatePipelineException(ApiCallTimeoutTrackingStage.java:109) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:64) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:43) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:50) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:32) at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37) at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26) at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:210) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:173) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:80) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74) at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53) at software.amazon.awssdk.services.ssm.DefaultSsmClient.getParameter(DefaultSsmClient.java:6325)

I have created:

  • security group for the Lambda
  • endpoint for com.amazonaws.ap-northeast-1.ssm and com.amazonaws.ap-northeast-1.ssmmessages
  • assigned the Lambda security group to the endpoint
  • used the overridden URL for the SSM client

But still, there is the timeout exception, and I have no idea what else needs to be checked or configured. It says that it is possible to solve it without any NAT configurations, but is it true? Is the endpoint withing VPC enough?