0

I'm attempting to access AWS DynamoDB from a Lambda function. When I call the document client's scan function using a promise, it never returns even when I extend the function's timeout to a whole minute.

I'm using Serverless platform, Node 8.10, and I've set up the "iamRoleStatements" to allow dynamodb and the table's ARN.

serverless.yml:

provider:
  name: aws
  runtime: nodejs8.10
  timeout: 6
  region: us-east-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:*
      Resource: "[arn from dynamodb]"

handler.js:

const dynamodb = new AWS.DynamoDB.DocumentClient()
...
...
...
    try {
      console.log('dynamodb go')
      attributes = await dynamodb.scan(queryParams).promise()
      console.log('dynamodb success')
      console.log(attributes)
    } catch (err) {
      console.log('dynamodb error')
    }

I'm expecting to get "dynamodb go" then "dynamodb success" or even "dynamodb error" in the console. However, after printing "dynamodb go" the function hangs and ends up timing out. Am I doing the promise wrong somehow? It seems like this should be the correct format based on what I've seen.

Improve this question
6
  • 1
    Did you try something simpler and quicker like describeTable() to make sure that you actually have connectivity to DynamoDB? Commented Jan 15, 2019 at 22:45
  • @jarmod I describeTable() and that seems to time out too. For describeTable() I just used the base AWS.DynamoDB object instead of the document client, that's correct, right? Commented Jan 15, 2019 at 22:58
  • I edited my post with the creation of my documentclient object. Is there any configuration that I need to do to get this working? The Lambda function is being called from an authenticated request from a web client with a cognito identity. Commented Jan 15, 2019 at 23:00
  • is your Lambda running in a VPC? Commented Jan 15, 2019 at 23:31
  • Any connectivity timeout like this is typically because your Lambda function cannot reach the network resource that it's trying to connect to, in this case DynamoDB. That typically is caused by one thing - you are running the Lambda function in a private subnet of a VPC and that subnet has no viable route to the internet or to DynamoDB via a VPC Endpoint. Could that be what's happening here? Commented Jan 15, 2019 at 23:59

1 Answer 1

Reset to default
1

It sounds like your Lambda function cannot connect to DynamoDB. That typically is caused by one thing - you are running the Lambda function in a VPC and the Lambda function has no viable route to DynamoDB (either over the public internet or to DynamoDB via a private VPC Endpoint).

Presumably you're running your Lambda function inside a VPC so that it can access your private RDS database, which would not otherwise be reachable over the public internet.

You have a couple of choices:

  1. give the Lambda function internet access so it can reach DynamoDB over the public internet
  2. add a VPC Endpoint for DynamoDB to the VPC so it can reach DynamoDB privately

Note that both are over TLS so are secure. The decision is whether or not to allow the Lambda function to have unfettered outbound internet access (#1), or to constrain it to DynamoDB (#2).

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I'll try this soon and get back to you. Thanks!
Do I really need to make a whole EC2 instance just to get these two services to talk to each other? I feel kind of frustrated with how Serverless computing was supposed to help me by taking care of all these tasks for me but then it creates all these new challenges which are new to me.
Update: Decided to just get rid of the VPC and instead I'll try to make the RDS instance publicly accessible. Just makes everything easier.
@danielhep Exposing an RDBMS to the public internet is rarely a good idea. You should be able to give Lambda access to both your private RDS instance and the DynamoDB service without the need for a NAT gateway or public internet access. Did you try this with a VPC endpoint for DynamoDB?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.