AWS Lambda does not seem to get an private IP address

0 votes

I am testing the Vault Lambda Extension which allows to reads secrets from Hashicorp Vault without using tokens.

I therefore created a demo lambda function which use the layer "Vault Lambda Extension". The lambda crashes before the python code is run.

Example of the execution result:

foo

Response
{
  "errorType": "Extension.Crash",
  "errorMessage": "RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Error: exit status 1"
}

Function Logs
2023-02-15T18:15:10.999Z [INFO]  vault-lambda-extension: Initialising
2023-02-15T18:15:11.006Z [ERROR] Fatal error, exiting: error="error logging in to Vault: read tcp 169.254.76.1:39510->10.16.1.55:8200: read: connection reset by peer"
EXTENSION   Name: vault-lambda-extension    State: Started  Events: []
2023-02-15T18:15:12.712Z [INFO]  vault-lambda-extension: Initialising
2023-02-15T18:15:12.773Z [ERROR] Fatal error, exiting: error="error logging in to Vault: read tcp 169.254.76.1:39514->10.16.1.55:8200: read: connection reset by peer"
EXTENSION   Name: vault-lambda-extension    State: Started  Events: []
START RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Version: $LATEST
RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Error: exit status 1
Extension.Crash
END RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c
REPORT RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c  Duration: 1694.95 ms    Billed Duration: 1695 ms    Memory Size: 128 MB Max Memory Used: 24 MB

As you can see the address IP of the lambda is 169.254.76.1 while it has been set to be in private subnet in my Dev VPC.

The role (modified) set for this lambda is

{
  "partial": false,
  "policies": [
    {
      "arn": "arn:aws:iam::123456789012:policy/aws_iam_policy_lambda_vault_lab",
      "document": {
        "Statement": [
          {
            "Action": [
              "ec2:DescribeNetworkInterfaces",
              "ec2:CreateNetworkInterface",
              "ec2:DeleteNetworkInterface",
              "ec2:DescribeInstances",
              "ec2:AttachNetworkInterface",
              "ec2:DescribeSecurityGroups",
              "ec2:DescribeSubnets",
              "ec2:DescribeVpcs",
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:DescribeLogGroups",
              "logs:DescribeLogStreams",
              "logs:PutLogEvents",
              "logs:GetLogEvents",
              "logs:FilterLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "2012-10-17"
      },
      "id": "ANPATRANPATRANPATRANPAT",
      "name": "aws_iam_policy_lambda_vault_lab",
      "type": "managed"
    }
  ],
  "resources": {
    "ec2": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2a...CAgPC9nPgogIDwvZz4KPC9zdmc+Cg==",
        "name": "Amazon EC2"
      },
      "statements": [
        {
          "action": "ec2:DescribeNetworkInterfaces",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:CreateNetworkInterface",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:DeleteNetworkInterface",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:DescribeInstances",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:AttachNetworkInterface",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:DescribeSecurityGroups",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:DescribeSubnets",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "ec2:DescribeVpcs",
          "effect": "Allow",
          "resource": "*",
          "service": "ec2",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        }
      ]
    },
    "logs": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAg...z4KICA8L2c+Cjwvc3ZnPgo=",
        "name": "Amazon CloudWatch Logs"
      },
      "statements": [
        {
          "action": "logs:CreateLogGroup",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:CreateLogStream",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:DescribeLogGroups",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:DescribeLogStreams",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:PutLogEvents",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:GetLogEvents",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        },
        {
          "action": "logs:FilterLogEvents",
          "effect": "Allow",
          "resource": "*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "aws_iam_policy_lambda_vault_lab",
            "policyType": "managed"
          }
        }
      ]
    }
  },
  "roleName": "lambda_role_vault_lab",
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

I don't include the python code has the lambda crashs before starting executing it. For info, I tried a few changes in the policy without any effects. Has someone an idea where I did go wrong?

Elevate Your Expertise with Microservices Certification!

Feb 16, 2023 in AWS by sarit
• 1,830 points
840 views

No answer to this question. Be the first to respond.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.

Related Questions In AWS

0 votes
1 answer

How to get aws lambda response as an HTML page

Store the HTML markup in a variable and return ...READ MORE

answered Dec 4, 2018 in AWS by Archana
• 5,640 points
1,636 views
+2 votes
3 answers
+3 votes
3 answers
+1 vote
3 answers

Not able to pass params POST to AWS Lambda from Amazon API Gateway

For this template : application/x-www-form-urlencoded  This line below will ...READ MORE

answered Jun 13, 2018 in AWS by Cloud gunner
• 4,670 points
8,349 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP