8

I created an AWS Lambda function that:

  • logs onto Redshift via JDBC URL
  • runs a query

Locally, using Node, I can successfully connect to the Redshift instance via JDBC, and execute a query.

var conString = "postgresql://USER_NAME:PASSWORD@JDBC_URL”;
var client = new pg.Client(conString);
client.connect(function(err) {   
  if(err) {
            
      console.log('could not connect to redshift', err);
          
  }  
          
// omitted due to above error

However, when I execute the function on AWS Lambda (where it's wrapped in a async#waterfall block), AWS Cloudwatch logs tells me that the AWS Lambda function timed out after 60 seconds.

Any ideas on why my function is not able to connect?

Kevin Meredith
  • 41,036
  • 63
  • 209
  • 384

2 Answers2

2

I find it's either you open your Redshift security group public to all sources, or none. Because a Lambda function isn't running on a fixed address or even a fixed range of IP addresses, which is completely transparent to users (AKA server-less).

I just saw Amazon announced the new Lambda feature to support VPC yesterday. I guess if we can run a Redshift cluster in a VPC, this could solve the problem.

piggybox
  • 1,689
  • 1
  • 15
  • 19
  • this isn't a connection problem, but a timeout during a long query – Martijn Scheffer Jan 25 '19 at 09:35
  • @MartijnScheffer a db connection problem often leads to timeout as a result. It's not hard though to verify on the db side if there was any query actually running – piggybox Jan 26 '19 at 09:12
  • yes but that is not the subject here, he is talking about the AWS lambda timeout, thats how i understand it, however, it could be either a connection failure, or a long query reaching lambda's timeout, its easy to find out, run a very short query (select count(*) ....) if that works, it's the lambda – Martijn Scheffer Feb 01 '19 at 15:19
  • yes its the connection, i was wrong, maybe a IAM problem, roles, access rights ? – Martijn Scheffer Apr 26 '19 at 21:23
1

If you are using serverless-framework v1.5.0, you should add:

iamRoleStatements: - Effect: Allow Action: - ec2:CreateNetworkInterface Resource: '*' - Effect: Allow Action: - ec2:DeleteNetworkInterface - ec2:DescribeNetworkInterfaces Resource: 'arn:aws:ec2:${self:provider.region}:*:network-interface/*'

Also should add all securityGroupIds to Inbounds Rules, like below: screenshot 2017-01-09 23 02 33

More info: https://serverless.com/framework/docs/providers/aws/guide/functions/#vpc-configuration

Marckaraujo
  • 7,422
  • 11
  • 59
  • 97