AWS Lambda function reading redshift details getting timed out

Question

I have created a vpc having public and private subnet. There is also a NAT gateway and the private subnet is associated with NAT gateway. There is a redshift cluster in private subnet. There is lambda function which is associated with both private and public subnet. Below is the code in lambda function and it is getting timed out every time I run it.

import json
import boto3

EVENT_TYPE = "REDSHIFT-EVENT-2000"


    def hello(event=None, context=None):
        print(event)
        event = st = {'Records': [{'EventSource': 'aws:sns', 'EventVersion': '1.0', 'EventSubscriptionArn': 'arn:aws:sns:us-east-2:427128480243:terraform-redshift-sns-topic:cbdfec04-7502-4509-9954-4ddc5e3c', 'Sns': {'Type': 'Notification', 'MessageId': '2b18e1e5-cbd2-5ab9-8a64-b90f55009fa8', 'TopicArn': 'arn:aws:sns:us-east-2:427128480243:terraform-redshift-sns-topic', 'Subject': '[Amazon Redshift INFO] - Cluster Created', 'Message': '{"Event Source":"cluster","Resource":"qa-redshift-cluster","Event Time":"2021-04-09 18:27:29.405","Identifier Link":"https://console.aws.amazon.com/redshift/home?region=us-east-2#cluster-details:cluster=qa-redshift-cluster ","Severity":"INFO","Category":["Management"],"About this Event":"http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-event-notifications.html#REDSHIFT-EVENT-2000 ","Event Message":"Amazon Redshift cluster \'qa-redshift-cluster\' has been created at 2021-04-09 18:27 UTC and is ready for use."}', 'Timestamp': '2021-04-09T18:27:30.589Z', 'SignatureVersion': '1', 'Signature': 'V58ecuxcerOSQyyVfWOPD7VkWRD2srTKqo/KiuTXruSXuZrDBRRTbd/uN76vLs909Lq1EK1XDFukhJKlgyQN9a3M9EvE4KUyf3nGMFvBQvTzk8BUj90VsLkY+YdVbhkcYjKr9cMuT2snPcUF5BeaqIsSbEFyvxGNmwEs0aTA8PsGBpxLT4Mxv78lY4nLFLdXKpnCB9HYGM1EO/VqtpY9dsd7XXGS3uDlWPo7u7BEntqPOcBmSXKtzy53fAGFEkLsDMH9aSzL3KALe4HxYb0zwLN95EE+h2svMt1X+SzIXG48m7NsNZDhG5LSbsUA==', 'SigningCertUrl': 'https://sns.us-east-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd93083a.pem', 'UnsubscribeUrl': 'https://sns.us-east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:427128480243:terraform-redshift-sns-topic:cbdfec04-7502-4509-9954-435c5e3c', 'MessageAttributes': {}}}]}
        print(event)
        if event is not None:
            message = event['Records'][0]['Sns']['Message']
            print(message)
            if message is not None and EVENT_TYPE in message:
                # convert the str to python dictionary
                message_dict = json.loads(message)
                print(message)
                # get the cluster details
                cluster_name = message_dict.get('Resource', None)
                print(cluster_name)
                if cluster_name is not None:
                    client_red = boto3.client('redshift',region_name = 'us-east-2')
                    clusters = client_red.describe_clusters(ClusterIdentifier=cluster_name)
                    cluster_detail = clusters.get('Clusters')[0]
                    print(cluster_detail)
                    db_name = cluster_detail.get('DBName')
                    user_name = cluster_detail.get('MasterUsername')
                    db_endpoint = cluster_detail.get('Endpoint')
                    print(db_endpoint)
                    db_address = db_endpoint.get('Address')
                    db_port = db_endpoint.get('Port')
    
                    print(f'The database name is {db_name}')
                    print(f'The database address is {db_address}')
                    print(f'The database port is {db_port}')
                    print(f'The database user is {user_name}')
                    print(f'The cluster name is {cluster_name}')
    
    
                    client_data = boto3.client('redshift-data' , region_name = 'us-east-2')
    
                    response = client_data.execute_statement(
                        ClusterIdentifier = cluster_name,
                        Database = db_name,
                        DbUser = user_name,
                        Sql = "CREATE TABLE TEST (key LONG)"
                    )
                    print(response)
                    id = response.get('Id')
                    print(id)
    
                    response2 = client_data.describe_statement(Id = id)
                    print(response2)

For testing purpose I have hardcoded the event json.All the resources have been created via Terraform.I looked up Lambda using python 3.6 & boto3 in VPC times out when connecting to Redshift and from this I added NAT but still it fails.

The role attached to lambda has permissions to access redshift and for time been the security groups have all the traffic enabled inbound and outbound.

If I run this script directly from pycharm it works fine but the issue comes when running from lambda where it gets timeout at this line

clusters = client_red.describe_clusters(ClusterIdentifier=cluster_name)

I am not able to figure the issue. Can someone please help me out. Thank you

Your lambda function should be only in private subnet, not publics. Does your NAT work? Can you verify that using, e.g. instance your private subnet? — Marcin, Apr 10 '21 at 22:44
I was able to create a ec2 instance in private subnet and ping google.com from that instance. I am assuming that because of NAT in public subnet. Also I removed the public subnet from lambda but it didn't work. Same issue — Deepak_Spark_Beginner, Apr 10 '21 at 23:09
What about security group for the lambda in the vpc? Does it allow outbound access to the internet? — Marcin, Apr 10 '21 at 23:19
Below is what security group for lambda says inbound and outbound. Not sure if this what means access to internet ------ All traffic All All 0.0.0.0/0 — Deepak_Spark_Beginner, Apr 10 '21 at 23:26
How did you access your ec2 instance, if its in private subnet? — Marcin, Apr 10 '21 at 23:33
I logged into ec2 instance in public subnet and from there. They both have same key — Deepak_Spark_Beginner, Apr 10 '21 at 23:36
I would just try re-creating your lambda. Maybe something got mixed up. Just delete the existing one if you can, and create new one. — Marcin, Apr 10 '21 at 23:38
Also does your lambda execution role has permissions for VPC? — Marcin, Apr 10 '21 at 23:57
When I was trying I gave the lambda execution role administrator access so I am guessing it has all the access. — Deepak_Spark_Beginner, Apr 11 '21 at 00:32

manukonda sowmya · Answer 1 · 2021-04-23T03:18:51.657

0

If you want to access the cluster privately and if both of them are in the same VPC.

Can you please check your redshift security group?

Please allow the security group of lambda in the redshift's security group.

I would also suggest you allow the VPC CIDR range in the security group of redshift.

edited Apr 23 '21 at 03:18

answered Apr 22 '21 at 23:58

manukonda sowmya

1
1

AWS Lambda function reading redshift details getting timed out

1 Answers1