1

My Lambda is located in VPC (I can access Redis that is inside VPC), but I also need to access SSM - getParameter, but I get a timeout exception.

Code: ※ It used to work until I put it inside the VPC.

final ClientOverrideConfiguration configuration = ClientOverrideConfiguration.builder() .apiCallTimeout(Duration.ofSeconds(5L)) .apiCallAttemptTimeout(Duration.ofSeconds(5L)) .build(); final SsmClient ssmClient = SsmClient.builder() .overrideConfiguration(configuration) .endpointOverride(URI.create("https://my-endpoint-here.amazonaws.com")) .build(); final GetParameterRequest request = GetParameterRequest.builder() .name(key) .build(); final GetParameterResponse response = ssmClient.getParameter(request); return response.parameter().value();

Exception:

software.amazon.awssdk.core.exception.ApiCallTimeoutException: Client execution did not complete before the specified timeout configuration: 5000 millis at software.amazon.awssdk.core.exception.ApiCallTimeoutException$BuilderImpl.build(ApiCallTimeoutException.java:106) at software.amazon.awssdk.core.exception.ApiCallTimeoutException.create(ApiCallTimeoutException.java:38) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.generateApiCallTimeoutException(ApiCallTimeoutTrackingStage.java:156) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.handleInterruptedException(ApiCallTimeoutTrackingStage.java:144) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.translatePipelineException(ApiCallTimeoutTrackingStage.java:109) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:64) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:43) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:50) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallMetricCollectionStage.execute(ApiCallMetricCollectionStage.java:32) at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37) at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26) at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:210) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:173) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:80) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:182) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:74) at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:53) at software.amazon.awssdk.services.ssm.DefaultSsmClient.getParameter(DefaultSsmClient.java:6325)

I have created:

  • security group for the Lambda
  • endpoint for com.amazonaws.ap-northeast-1.ssm and com.amazonaws.ap-northeast-1.ssmmessages
  • assigned the Lambda security group to the endpoint
  • used the overridden URL for the SSM client

But still, there is the timeout exception, and I have no idea what else needs to be checked or configured. It says that it is possible to solve it without any NAT configurations, but is it true? Is the endpoint withing VPC enough?

Improve this question
1
  • 4
    You only need the ssm endpoint, you should not use a different URL, you should have a security group on the endpoint that allows 443 access, either from anywhere or from your lambda, but you should not just use the lambda security group itself. The lambda sg needs to allow outbound requests, the endpoint needs to allow inbound ones. Commented May 7 at 9:40

1 Answer 1

Reset to default
1

@luk2302, thanks for the response. I have solved the access issue by adding the Lambda security group to the inbound rules of another security group inside the SSM Endpoint (VPC -> Endpoints -> SSM Endpoint -> Security groups).

And changed the declaration of SSM client as follows:

private static final SsmClient ssmClient = SsmClient.create();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.