9

I can't successfully connect to RDS from Amazon Lambda in production. For Amazon Lambda I'm using Serverless framework, executing sls offline I can connect with RDS from localhost, but in production Amazon Lambda doesn't.

Both are in same VPC, in same security group, that has all traffic inbound access, and a rule that is pointing to Vpc's CIDR.

I have these permissions attached: AmazonRDSFullAccess, AWSLambdaFullAccess, AmazonVPCFullAccess, AWSLambdaExecute and AWSLambdaVPCAccessExecutionRole.

starball
  • 20,030
  • 7
  • 43
  • 238
fabian818
  • 97
  • 1
  • 7
  • Possible duplicate of [Allow AWS Lambda to access RDS Database](https://stackoverflow.com/questions/37030704/allow-aws-lambda-to-access-rds-database) – mootmoot Sep 01 '17 at 08:00
  • I followed all the indications, but I could not make the connection work, I guess this is another error. – fabian818 Sep 01 '17 at 08:47
  • How about this ? http://docs.aws.amazon.com/lambda/latest/dg/vpc-rds-create-iam-role.html – mootmoot Sep 01 '17 at 08:56
  • I have these permissions attached: AmazonRDSFullAccess, AWSLambdaFullAccess, AmazonVPCFullAccess, AWSLambdaExecute and AWSLambdaVPCAccessExecutionRole but still not working. – fabian818 Sep 01 '17 at 09:03
  • https://aws.amazon.com/blogs/aws/new-access-resources-in-a-vpc-from-your-lambda-functions/ – mootmoot Sep 01 '17 at 09:11
  • Description updated with: Both are in same VPC, in same security group, that has all traffic inbound access, and a rule that is pointing to Vpc's CIDR. – fabian818 Sep 01 '17 at 09:19
  • @fabian818 I was struggling with this myself recently. Could you provide your serverless.yml? also, what errors are you seeing in your lambda's Cloudwatch logs? – Zac Collier Nov 15 '17 at 11:39
  • 1
    it is your permission. Try to put rds and Lambda in some vpc/security group and subset. If your rds is public, your lambda subnet should have internet to access it. – johnny May 29 '18 at 16:12
  • If my RDS Is public I need a NAT? No other way to access that resource in the same VPC? – Jumpa Nov 27 '19 at 07:03

2 Answers2

18

I had this issue and the following is a summary of the steps I took to resolve:

  1. In lambda network section select the VPC and all subnets. Set the security group to the security group the RDS was created with / set to.
  2. Edit said security group inbound policies and set a policy with RDS port/access settings and set the source equal to its own Group Id. It is not sufficient that they are in the same group, if it doesn't accept connections from it's own group.
  3. Ensure the lambda function execution role has AWSLambdaVPCAccessExecutionRole and AWSLambdaBasicExecutionRole policies attached.

Good luck.

edencorbin
  • 2,569
  • 5
  • 29
  • 44
  • After hours of searching this looks like exactly what is needed. However it still doesn't work. After some head scratching I went to use the query editor in RDS and my admin credentials aren't working! So my guess is the problem is with the RDS setup, not with Lambda. – Jimbo Feb 17 '21 at 14:16
  • Apparently the password for my master account (username: admin) was incorrect ... Fixing that allowed me to connect to the query editor. After verifying the query editor worked the Lambda code worked just fine. – Jimbo Feb 17 '21 at 14:24
-1

Try to change "IAM DB Authentication Enabled" to YES on your database and apply changes immediately so you don't wait for maintenance.

That solved my problem.

Đorđe Trbović
  • 29
  • 1
  • 3