0

I have a Lambda function written in dotnet 6 that connects to RDS and inserts some data. I want to have the connection parameters (db host, db password, db name) stored in SSM ParameterStore instead of hardcoded in the function.

I have found Amazon.Extensions.Configuration.SystemsManager which seems to be able to add the SSM parameters as a dotnet Configuration source.

If I add this to the constructor of the base class of the handlers:

public class Function
{

    private IConfiguration _configuration = default!;

    public Function() {
        LambdaLogger.Log("START CONSTRUCTOR");              
        _configuration = new ConfigurationBuilder()
                        .AddSystemsManager("/")                        
                        .Build();        
        LambdaLogger.Log("END CONSTRUCTOR");
    }

    //Function handlers, etc.
}

the lambda function times out.

If I change that to

public class Function
{

    private IConfiguration _configuration = default!;

    public Function() {
        LambdaLogger.Log("START CONSTRUCTOR");              
        _configuration = new ConfigurationBuilder()    
                        .Build();        
        LambdaLogger.Log("END CONSTRUCTOR");
    }

    //Function handlers, etc.
}

the lambda function works, so it is the AddSystemsManager() call which is timing out for some reason. I have added to the lambda execution role the policies arn:aws:iam::aws:policy/AmazonSSMFullAccess and arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser (for SecureString)

So, what am I doing wrong or what else do I need to check to access SSM from a dotnet 6 lambda?

Also, if you can't suggest about this specific problem, can you suggest a path you know works to get centralized configuration onto dotnet 6 lambdas?

Koi
  • 1
  • 3
  • Did you attach the Lambda function to a public subnet? If so, move it to private subnet. Do you have an SSM VPC Endpoint configured or do you have a NAT device (or gateway) in your VPC? Related [question](https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the/52994841#52994841). – jarmod Sep 02 '22 at 18:14
  • @jarmod the lambda functions are currently in the databases subnet of my VPC (to talk to the RDS database server) - are you saying that SSM lives on a totally different subnet that I need to explicitly add to my VPC configuration? I didn't see anything about setting up VPCs to access SSM on the docs (I can totally have skipped that part) – Koi Sep 02 '22 at 18:20
  • Found this question: https://stackoverflow.com/questions/51893923/how-to-debug-connection-issue-connecting-to-ssm-vpc-endpoint-from-lambda-functi#:~:text=The%20subnets%20that%20Lambda%20is%20being%20deployed%20in%2C,group%20%28which%20is%20associated%20with%20the%20lambda%20function%29. that seems related – Koi Sep 02 '22 at 18:22
  • Your Lambda function needs a network route to the AWS SSM API endpoint, either via the internet (i.e. a combination of NAT and IGW in your VPC) or via private VPC endpoint. By databases subnet, I presume you mean a private subnet? Does this subnet have either a default route to NAT (running in a public subnet, with IGW) or have you configured an SSM VPC Endpoint in your VPC? You need one or the other. – jarmod Sep 02 '22 at 18:27
  • That was it, @jarmod. Thank you. For other people who might be interested, found this Terraform module that helps (has all the required parameters for the endpoint to work) https://github.com/bayupw/terraform-aws-ssm-vpc-endpoint/blob/main/main.tf – Koi Sep 03 '22 at 09:29

1 Answers1

0

As @jarmod mentions in the comment it was not related to the Lambda's runtime or the library in use, but it was network connectivity issues. The subnet I had the Lambda running on didn't have VPC endpoints to the Systems Manager.

After adding the right VPC endpoint to my setup everything started working.

Koi
  • 1
  • 3