AWS Lambda node.js timeout when trying to access DynamoDB

Question

I'm facing one of these AWS Lambda node.js timeout when trying to access DynamoDB issues but the symptoms appear different and the solutions I found don't solve this issue.

Timeout is set to 5min, memory is set to 128MB but doesn't exceed 30MB usage.
IAM policies for the role are:

• AWSLambdaFullAccess
• AmazonDynamoDBFullAccess
• AWSLambdaVPCAccessExecutionRole

The default VPC has 7 security groups and include the default security group with:

• Inbound: All Traffic, All protocol, All port range,
• Outbound: All Traffic, All protocol, All port range, 0.0.0.0/0

Here is the code:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB();

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

And the Outcome:

START RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Version: $LATEST
END RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba
REPORT RequestId: 5d2a0294-fb6d-11e6-989a-edaa5cb75cba  Duration: 300000.91 ms  Billed Duration: 300000 ms  Memory Size: 128 MB Max Memory Used: 21 MB  
2017-02-25T15:21:21.778Z 5d2a0294-fb6d-11e6-989a-edaa5cb75cba Task timed out after 300.00 seconds

The related node.js version issue solved here doesn't work for me and returns a "ReferenceError: https is not defined at exports.handler (/var/task/index.js:6:16)". Also AWS has deprecated version 0.10.
Here is the code with the https reference:

var aws = require('aws-sdk');

exports.handler = function(event, context) {
  var dynamo = new aws.DynamoDB({
  httpOptions: {
    agent: new https.Agent({
      rejectUnauthorized: true,
      secureProtocol: "TLSv1_method",
      ciphers: "ALL"
    })
  }
});

  dynamo.listTables(function(err, data) {
    if (err) {
      context.fail('Failed miserably:' + err.stack);
    } else {
      context.succeed('Function Finished! Data :' + data.TableNames);
    }
  });
};

Outcome:

START RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Version: $LATEST
2017-02-24T22:27:31.010Z    6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb    ReferenceError: https is not defined
    at exports.handler (/var/task/index.js:6:16)
END RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb
REPORT RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb  Duration: 81.00 ms  Billed Duration: 100 ms     Memory Size: 128 MB Max Memory Used: 26 MB  
RequestId: 6dfd3db7-fae0-11e6-ba81-a52f5fc3c3eb Process exited before completing request

With a timeout set to 5min I can't believe that AWS wouldn't be able to return the list of tables in the allocated timeframe and permission issues typically appear in the logs.

Thanks for looking into this.

Answer 1

I guess your Lambda is in a private subnet. In this case by default your Lambda will not have outbound internet access. You need to create a NAT Gateway or NAT Instance to let VPC protected resources to access outside Internet. DynamoDB API is outside Internet from VPC point of view.

Answer 2

You no longer need to create a NAT gateway/instance

You can create a VPC Endpoint for Dynamo DB which will open Lambda in the private subnet to access Dynamo. Create an endpoint in your VPC that aligns to the VPC/subnet setup you have for lambda and you will have no issues with access.

You can limit access to specific services or resources.

https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/

This can be done for any global AWS service, S3 etc