AWS Lambda Function not able to connect to AWS Secret Manager

1
votes

My Lambda function needs to connect to RDS using credentials from AWS Secret Manager. Following things I had done:

  1. Created Lambda Function and associated with VPC (Eg. VPC 1) and created a separate Security group(Lambda-SG).
  2. RDS is also in the same VPC and is accessible from the Lambda function
  3. Created VPC Endpoint for Secret Manager Service so that Lambda function can connect to it.
  4. The Lambda function is not able to connect to AWS Secret Manager and getting timed out.

Any resolution will be helpful. If I remove the VPC then it is accessible but I need the VPC for connecting to the RDS instance. Cannot use NAT gateway as the cloud environment policy will not allow any Internet connection.

1
aws-lambda
Need more details, can you show how you are creating your SSM client in the Lambda? Are you sure both SGs for the SSM endpoint and Lambda have the corresponding egress and ingress rules as well?Rome_Leader
I am trying to connect to Secrets Manager and not SSM.BibekSutradhar
AwsClientBuilder.EndpointConfiguration config = new AwsClientBuilder.EndpointConfiguration(endpoint, region); AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard(); clientBuilder.setEndpointConfiguration(config); AWSSecretsManager client = clientBuilder.build(); GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest() .withSecretId(secretName).withVersionStage("AWSCURRENT");BibekSutradhar
When I say SSM I'm referring to the expanded acronym for the service "Simple Systems Manager". Those details would be better formatted/better provided as part of your question, not as a comment. The client/endpoint configuration looks OK, did you also check your security group rules on both sides?Rome_Leader
is your endpoint sg allow the inbound traffic for the https port?Lamanus

1 Answers

0
votes

To troubleshot this connectivity issue, you can choose following option;

If you have enabled VPC Flow Logs, then you can trace vpc flow logs to check, which aws resource is rejecting the network traffic. For VPC flow logs information please refer this document from AWS.

Furthermore, Check VPC flow logs of AWS lambda's network interface(s). Also, If the traffic is going through proxy, then check proxy configurations as well.