lambda function can't access secrets manager

0

I am developing an AWS Lambda function using Python. When I directly use Python code in AWS Lambda to access the secrets manager, it works fine. However, when I package the Lambda function code with dependencies, upload it as a zip file, and run it, I am unable to retrieve the secret, and the execution times out. Why is this happening?

I have followed the instructions in this link , set up the layer, and ensured that the role and VPC subnet are correctly configured.

============================= after set ENV PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL = debug Debug log

[AWS Parameters and Secrets Lambda Extension] 2023/10/07 08:42:36 INFO Serving on port 2773
EXTENSION	Name: AWSParametersAndSecretsLambdaExtension	State: Ready	Events: [INVOKE, SHUTDOWN]
START RequestId: da2cb206-3ecd-4d68-bc9e-da721a940c83 Version: $LATEST
begin lambda function run
[AWS Parameters and Secrets Lambda Extension] 2023/10/07 08:42:37 INFO ready to serve traffic
2023-10-07T08:43:07.233Z da2cb206-3ecd-4d68-bc9e-da721a940c83 Task timed out after 30.04 seconds

END RequestId: da2cb206-3ecd-4d68-bc9e-da721a940c83
REPORT RequestId: da2cb206-3ecd-4d68-bc9e-da721a940c83	Duration: 30039.07 ms	Billed Duration: 30000 ms	Memory Size: 128 MB	Max Memory Used: 80 MB	Init Duration: 661.31 ms	

and python lambda function code is


import json
import urllib.parse
import boto3
import gzip
import io
import os
import datetime
from datetime import datetime

def get_redshift_credentials():
    try:
        secrets_manager_client = boto3.client('secretsmanager')
        response = secrets_manager_client.get_secret_value(SecretId='this is MY ARN')
        secret_string = response['SecretString']

        secret_data = json.loads(secret_string)

        host = secret_data['host']
        port = secret_data['port']
        dbname = secret_data['dbName']
        user = secret_data['username']
        password = secret_data['password']

        cached_redshift_credentials = (host, port, dbname, user, password)
        return cached_redshift_credentials

    except Exception as e:
        print(f"Error retrieving Redshift credentials: {str(e)}")
        raise



def lambda_handler(event, context):
    print("begin lambda function run")
    redshift_credentials = get_redshift_credentials()
    print(redshift_credentials)

Aaren
gefragt vor 9 Monaten793 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hi Aaren,

I think you need to correctly configure Role for Lambda Function, to be able to access Secrets from the Secrets Manager.
Please follow this guide [1] to access the secrets using lambda (python) with correct Permissions.

If you have your Lambda Function within a VPC, you also need to consider using a VPC Endpoint or NAT gateway for your request to reach Secrets Manager. [2]

References:
[1] https://community.aws/posts/parameters-and-secrets-lambda-extension-with-python
[2] https://repost.aws/knowledge-center/lambda-secret-vpc

Regards,
Atul

profile picture
beantwortet vor 9 Monaten
profile pictureAWS
EXPERTE
überprüft vor 9 Monaten
  • Thank you for your answer, I am sure configure Role and VPC correct ,with the same code ,direct run python in AWS Lambda can access SecretManager

  • Okay, you can try to use the Lambda Function environment variable PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL with a value as debug to get a detailed log. This might help in debugging the issue. Also, could you please share some logs to assist you better?

  • OK I post debug logs lambda code in update post

  • Hi, I think you are using boto3.client('secretsmanager') in the Lambda code. Instead, you should make a "GET" request using "http". Since you have configured a layer "AWS Parameters and Secrets Lambda Extension", it is making requests to localhost port 2773. You can modify your Lambda code to be similar to the reference [1], it should work fine then. Please refer to this code: https://community.aws/posts/parameters-and-secrets-lambda-extension-with-python#add-our-lambda-code

  • Thank you , I resolve this question use HTTP request to get Secrets

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen