By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

KMS decrypt error inside Lambda in VPC network timeout

0

I have a lambda which needs to be exposed to the internet and also needs outgoing internet network access. This lambda needs to decrypt some environment variables on startup (KMS). This encryption fails sometimes. This lambda is running in a VPC with 2 private subnets and 1 public. The private subnets have a routing table to NAT-gateway. The lambda has required KMS permissions. Also I configured a VPC endpoint for KMS. However I get frequently network timeout errors to KMS INFO Decrypt error: Error: read ECONNRESET at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20) { errno: -104, code: 'ECONNRESET', syscall: 'read', name: 'TimeoutError', '$metadata': { attempts: 7, totalRetryDelay: 5866 } } Any suggestions are more then welcome. Thanks in advance.

Topics
ServerlessNetworking & Content DeliveryCompute
Tags
ServerlessAmazon VPCAWS Lambda
Language
English
Filip Vercauteren
asked 2 years ago1K views
1 Answer
0
Accepted Answer

Is the subnet where Lambda is located a private subnet?
Or is it a public subnet?
Do you have KMS VPC endpoints set up on public subnets as well?
Lambdas in the VPC do not have a global IP address even if they are located on a public subnet, so you need to set up a VPC endpoint.
Alternatively, you can also communicate by manually setting a public IP address in the Lambda's ENI.
Otherwise, make sure that the required security groups are set up for the KMS VPC endpoints

profile picture
EXPERT
Riku_Kobayashi
answered 2 years ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 9 months ago
  • Filip Vercauteren
    2 years ago

    The lambda is on both a private and public subnet. I don't have KMS VPC endpoints setup on the public subnets only on private subnets. I will try that and see whether this solves the problem. Thanks !

  • speller
    a year ago

    In my case, both Lambda and KMS VPC endpoint are in a private subnet without internet access. Lambda's security group allows any outgoing traffic. Incoming traffic from the whole VPC is allowed. The function connects to Amazon MQ successfully (located in a public network, not accessible from the Internet). But the decrypt API function call still hangs and the function fails by timeout. What I'm doing wrong?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content