I want to resolve the "pg module not found" error in my AWS Secrets Manager Lambda function logs when AWS Lambda fails to rotate secrets.
Short description
If the Lambda function automatically upgraded from Python 3.7 to a newer version, then you might receive the "pg module not found" error. Newer versions, such as Python 3.9, might not support the required modules. For information about supported modules and libraries across Python versions in Lambda, see Supported runtimes.
Resolution
Check the Lambda function Python version
Complete the following steps:
-
Open the Lambda console.
-
In the navigation pane, choose Functions, and then select the name of the Lambda that didn't rotate.
-
Choose the Code tab.
-
In Runtime settings, note the Python version.
-
Choose Actions, choose Export function, and then choose Download deployment package.
-
Run the following find Linux command from the directory of the uncompressed .zip file:
find ./ -name “*cpython-*-x86_64-linux-gnu.so”
-
Check that the version of the Python runtime is in the name of the .so file.
For example, _cffi_backend.cpython-37m-x86_64-linux-gnu.so.
Note: If you find Python 3.7 .so files but your Lambda runtime shows a newer version, this confirms a version mismatch. You must resolve this mismatch through the CloudFormation template update process.
Update the AWS CloudFormation template
To resolve the Lambda function failure, complete the following steps:
- Update your stack template that you used to create the Lambda function.
- Add the Runtime property to the HostedRotationLambda object in AWS::SecretsManager::RotationSchedule HostedRotationLambda.
- Redeploy the CloudFormation stack to apply changes.
CloudFormation changes the Lambda rotation function back to Python 3.7.
Note: For Python 3.7, the Runtime key value must be python3.7.
Related information
Upgrade an existing rotation function from Python 3.7 to 3.9