8

My lambda function can access Systems Manager parameters (ssm.getParameter) when NOT in a VPC. When I add the lambda function to my VPC, I lose access to SSM. The function times out.

Clearly I am missing a security group setting or something but can't figure it out. What do I need to do to enable lambda access to SSM when running it in my VPC?

Fook
  • 5,320
  • 7
  • 35
  • 57

2 Answers2

9

Most likely this is because you're creating your lambda function in the public subnet, Lambda does get public ip address and uses NAT to access resources outside VPC.

Also, as a side note AWS now provides an endpoint for SSM https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-setting-up-vpc.html so you don't even need to go through the internet anymore

b.b3rn4rd
  • 8,494
  • 2
  • 45
  • 57
  • 4
    I solved it with an endpoint. Specificially, I only needed to create one for com.amazonaws.region.ssm to get it working. Thanks! – Fook Jul 18 '18 at 15:30
1

To add to @b.b3rn4rd

I myself finished everything after following Amazon's https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-setting-up-vpc.html but was still getting timeout errors when calling SSM from lambdas.

I found the answer in the following article https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/ You also need to add another inbound rule for your security group where you allow inbound requests for HTTPS in your VPC, the source will be the security group that you're using for Lambdas.

It should be something like Type:HTTPS Protocol:TCP Port:443 Source:[security group]

Martin
  • 11
  • 2