Getting secret from Lambda times out when attached to VPC subnet

Question

When a Lambda is attached to one (or more) VPC subnets, fetching a secret from Secrets Manager with GetSecretValue times out. And when the Lambda is detached from all subnets, the GetSecretValue call succeeds. This happens consistently in both Python 3.6 and Node.js 8.10 Lambda environments, so it's not specific to one language library.  
  
In my use case, I am accessing RDS form Lambda, and as such have attached the Lambda to the VPC. But because of this issue with Secrets Manager, I would need to use something else to store RDS credentials.  
  
---  
  
EDIT: SOLVED, and will mark it as such when my posting quota (apparently a thing around here) lets me.  
  
According to https://stackoverflow.com/a/35423306,  
  
"Once you enable VPC support in Lambda your function no longer has access to anything outside your VPC. \[...] For pretty much anything else outside your VPC, you would need to create a NAT instance or a managed NAT gateway in your VPC to route traffic from your Lambda functions to endpoints outside of your VPC."

Answer

I'd argue that a NAT gateway benefits all of the hosts on the subnet automatically, while an EIP directly affects only the attached host. Also, there is a very significant limit of 5 EIPs per region, so we would not recommend a scheme that results in a 1:1 association between an EIP and a Lambda function. You'd run out of EIPs very quickly.  
  
A NAT also provides some basic filtering that an EIP does not. A NAT essentially filters out all traffic except responses to previous outgoing requests (unless you specifically designate and redirect an incoming port to a specific host).  
  
We recommend that you follow the guidance found in this topic in the Lambda Developers Guide: https://docs.aws.amazon.com/lambda/latest/dg/vpc.html, which very clearly indicates that a NAT gateway is the preferred configuration option.  
  
I hope this helps!  
Dave

Answer

Hi Dave,  
  
It would be great to have a VPC endpoint for Secrets Manager !  
  
Deploying a NAT Gateway (indeed 3 NAT gtws for 3 stages) only to access Secrets Manager from Lambda is a pity... in particular for cost reasons.  
  
Thanks

Answer

Thanks Dave,  
  
I read a lot of recommendations about using a NAT gateway to grant the VPC internet access, but what about this alternative? Going to network interfaces in EC2, finding the ENI labeled "AWS Lambda VPC ENI", and associating a new elastic IP with that interface? I just confirmed this grants internet access to my Lambda, although I have to explicitly associate it with the private subnet of that interface.  
  
This approach isn't mentioned anywhere, and I wonder what its advantages/disadvantages are as compared with using a NAT gateway.

Answer

Steph,   
  
I'm guessing you haven't seen the latest news.  :-)  
  
In July we introduced support for configuring Secrets Manager endpoints within your VPC.  For more information, see the announcement blogpost here () or the documentation for this feature ().   
  
That will simplify all this!  I hope this helps!  
Dave Bishop  
Tech Writer for Secrets Manager

Answer

You're 100% correct.  When you put your RDS instance and your Lambda in a VPC, you're putting it on a private network that, by default, has no connectivity to the outside world. Secrets Manager's API endpoints are available only on the public Internet, so for your Lambda to run Secrets Manager API operations, you must equip your VPC with some means of accessing the Internet. The easiest way to do that is to add a NAT gateway that allows requests from the VPC to access the Internet and responses to those requests to make their way back.  
  
Dave

Answer

Sorry David, it seems that I'm not able to flag your answer..

Answer

Thanks Dave, indeed I didn't see the july announcement  ! ;)

Answer

Great!  Can you please flag my response as the correct answer?  Thank you very much!  
  
Dave

Getting secret from Lambda times out when attached to VPC subnet

Relevant content