0

I am trying to delete an object from an s3 bucket, but no matter what I do the delete request always ends up timing out. I'm thinking I've either configured the permissions incorrectly or I'm using the aws-sdk incorrectly.

Here is my lambda function creation, defined in aws-cdk:

this.appsyncS3LambdaResolver = new NodejsFunction(
      this,
      "appsyncS3LambdaResolver",
      {
        memorySize: 1024,
        handler: "handler",
        runtime: lambda.Runtime.NODEJS_14_X,
        timeout: cdk.Duration.seconds(5),
        entry: __dirname + "/../../lambda-fns/AppsyncS3LambdaResolver/index.ts",
        environment: {
          SECRET_NAME: props.rdsSecretName || "",
          SECRET_VALUE: props.rdsSecretValue || "",
          S3_BUCKET_NAME: props.s3bucket.bucketName,
          S3_BUCKET_URL: props.s3bucket.bucketWebsiteUrl,
        },
        bundling: {
          externalModules: ["aws-sdk"],
          nodeModules: ["pg"],
        },
        vpc: props.vpc,
        vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED },
        securityGroups: [props.lambdaAccessToRDSSecurityGroup],
      }
    );

    // Give appsyncS3LambdaResolver access to put to S3 bucket (which enables it to make presigned urls)
    // and delete
    props.s3bucket.grantPut(this.appsyncS3LambdaResolver);
    props.s3bucket.grantDelete(this.appsyncS3LambdaResolver);

And here is my s3 bucket creation:

this.s3bucket = new s3.Bucket(this, "s3-bucket", {
      // bucketName: 'my-bucket',
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
      versioned: false,
      publicReadAccess: false,
      encryption: s3.BucketEncryption.S3_MANAGED,
      cors: [
        {
          allowedMethods: [s3.HttpMethods.GET, s3.HttpMethods.PUT],
          allowedOrigins: props.isProd
            ? [] // tbd
            : ["http://localhost:3000", "http://localhost:3000/*"],
          allowedHeaders: ["*"],
        },
      ],
      lifecycleRules: [
        {
          abortIncompleteMultipartUploadAfter: cdk.Duration.days(90),
          expiration: cdk.Duration.days(365),
          transitions: [
            {
              storageClass: s3.StorageClass.INFREQUENT_ACCESS,
              transitionAfter: cdk.Duration.days(30),
            },
          ],
        },
      ],
    });

    this.s3bucket.addToResourcePolicy(
      new iam.PolicyStatement({
        sid: "allow deleting objects from s3 bucket /public/*",
        effect: iam.Effect.ALLOW,
        principals: [new iam.AnyPrincipal()],
        actions: ["s3:DeleteObject"],
        resources: [this.s3bucket.bucketArn + "/public/*"],
      })
    );

And the actual lambda function code which isn't deleting:

for (let i = 0; i < result.rows[0].num_media; i++) {
        const params = {
          Bucket: process.env.S3_BUCKET_NAME,
          Key: `public/reviewmedia/${reviewId}/${i}`,
        };

        console.log("params:", params);

        const res = await s3.deleteObject(params).promise();
        console.log(res);
      }

I have the two permissions to grant my lambda function access to delete from the s3 bucket (s3bucket.grantDelete() and the policy on the s3 bucket) but neither of them seem to work. Here I have given my policy the equivalent of principals: "*" but that didn't fix it either. I'm not sure what's wrong with my configuration... I would really appreciate some advice.

Improve this question
6
  • 2
    Lambda SG allows outbound egress traffic? And also the lambda subnet needs a route to connect to S3 (via IGW, Nat Gateway or VPC S3 Endpoint) Commented Jan 18, 2022 at 2:34
  • Lambda SG does allow outbound egress traffic, it's definitely the lambda subnet which is the problem. Thank you! Commented Jan 18, 2022 at 2:45
  • 1
    Please confirm if it was the issue to post it as answer. Commented Jan 18, 2022 at 2:49
  • 1
    Right now the lambda is actually in an isolated subnet, which was why I was so certain that this was the problem. So I will have to make a private subnet and then put the lambda function in there, and then make the VPC S3 Endpoint. So it might take a little bit... I'll be back! Commented Jan 18, 2022 at 2:54
  • 1
    Yup, that fixed it. Thank you so much!! Commented Jan 18, 2022 at 3:10

1 Answer 1

Reset to default
1

Usually timeout errors are related to connectivity issues.

In case of lambda running in VPC, make sure the associated SG allows outbound traffic and also check the lambda subnets has a route to connect to S3 (via IGW for public subnets, Nat Gateway/Nat Instance for private subnets or S3 VPC Endpoint to connect to S3 privately without requiring options mentioned before).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.