AWS How to Invoke SSM Param Store using Private DNS Endpoint from Lamda function Nodejs

0
votes

Hi have requirement where credential needs to be stored in SSM Param store and will be read by Lambda function which sits inside an VPC, and all the subnets inside my VPC is public subnet. So when I am calling SSM Param store using below code I am getting timed out error.

const AWS = require('aws-sdk');

AWS.config.update({
  region: 'us-east-1'
})

const parameterStore = new AWS.SSM();

exports.handler = async (event, context, callback) => {
    console.log('calling param store'); 
    const param = await getParam('/my/param/name')
    console.log('param : ',param);

    
    //Send API Response
    return {
        statusCode: '200',
        body: JSON.stringify('able to connect to param store'),
        headers: {
            'Content-Type': 'application/json',
        },
    };
};


const getParam = param => {
  return new Promise((res, rej) => {
    parameterStore.getParameter({
      Name: param
    }, (err, data) => {
        if (err) {
          return rej(err)
        }
        return res(data)
    })
  })
}

So I created vpc endpoint for Secrets Manager which has with Private DNS name enabled.

Still I am getting timed out error for above code.

Do I need change Lambda code to specify Private DNS Endpoint in Lambda function

Below Image contains outbound rule for subnet NACL Below Image contains outbound rule for subnet NACL Below Image contains outbound rule for Security Group Below image contains outbound rule of security group

1
amazon-web-serviceslambdavpcaws-ssm
You shouldn't have to change anything in the Lambda function. It sounds like the VPC endpoint is not configured properly, or the security group or NACLs on the subnet don't allow traffic out.Jason Wadsworth
Could you double-check that the lambda and the VPC endpoint are in the same subnet?jellycsc
@JasonWadsworth I have updated my question with NACL and SG outbound rule , please check and suggest if any change is neededPriyaranjan Behera
@jellycsc Yes Lambda and VPC endpoint are in all the available subnets inside the VPC, hence both are in same subnetsPriyaranjan Behera
I don't think it's your problem, but you can simplify the code by using .promise() on the getParameter call. That removes the need for you to create a promise from it. I assume you are not hitting the logging line after the getParam call.Jason Wadsworth

1 Answers

0
votes

I managed to fix this issue. The root cause of this problem was all the subnets were public subnet. Since VPC endpoints are accessed privately without internet hence the subnets associated with Lambda function should be private subnet.

Here are the below steps I have take to fix this issue

  1. Created a NAT Gateway in side VPC and assigned one elastic IP to it
  2. Created new route table and pointed all the traffics to NAT gateway created in steps 1
  3. Attached new route table to couple of subnets (which made them private)
  4. then attached only private subnets to Lambda function

Other than this IAM role associated with Lambda function should have below 2 policy to access SSM Param store

  • AmazonSSMReadOnlyAccess
  • AWSLambdaVPCAccessExecutionRole