Hello again... I'm having this problem with lambda networking inside VPC. It's happening in a function I deployed yesterday. This function calls secrets manager to get the credentials and connects to a MySQL DB in RDS. It also makes some calls to the internet. I'm getting timeout errors and when I check the serverless console it shows the

getSecretValue()

being the cause as far as I understand. It's very weird because: • All the functions are in the same

serverless.yml

and share the same VPC configuration (which is already set up to allow internet access) and the other functions with the same type of calls (SecretsManager, RDS, and external addresses) work perfectly; • It doesn't seem to be an external access problem because the HTTP calls to the Internet work fine, only the secrets manager get stuck; • I noticed that if I change the internet address I'm calling for another (e.g. google.com) it works without timing out the

getSecretValue()

call. • Since the external address, in this case, is another lambda, I tested calling it directly by using the AWS SDK instead of making an HTTP request (via axios), but in this case, the timeout happens again :S Any clues? Has anyone already passed for a similar problem?

Not in front of computer to check but ssm might need an endpoint set up

Mystery solved. The inner lambda function I call inside the function was timing out for a specific set of parameters and causing the outer function to also timeout :S was not related to networking configuration at all, what fortunately makes sense 😄

Wonder if you can help me then...do you know what the cloudformation looks like for giving a lambda access to the key used to encrypt the parameter store values?

I don't 😞 I only know you can reference the values from parameter store and secrets manager but I never used that. To access the encryption key I have no idea.

@Ross Coundon r u looking for the IAM permissions required for the Lambda?

No worries, I typically get the problem that the lambda is not allowed to decrypt the parameter because of lack of access to the key. I have an IAM role that allows decrypt

Effect: 
  'Allow',
        Action: [
          'kms:Decrypt',
          'kms:GenerateDataKey*',
          'kms:DescribeKey*',
        ],
  Resource: theparameterpath

But I get the issue that access to the key isn’t allowed. I then end up going into the KMS console in AWS to specify the role as a user of the key

Oh I see. That’s weird… We don’t use Parameter Store extensively. But we haven’t run into the occasional lack of access error you mentioned when dealing with KMS directly.

Yeah, that chimes with what I’ve found when trying to hunt down a solution i.e. nobody else seems to have the problem! Maybe what I need to try is to have the serverless process create the actual keys and parameter store entries, rather than creating them first and referencing them in serverless.