I am testing the Vault Lambda Extension which allows to reads secrets from Hashicorp Vault without using tokens.
I therefore created a demo lambda function which use the layer "Vault Lambda Extension". The lambda crashes before the python code is run.
Example of the execution result:
foo
Response
{
"errorType": "Extension.Crash",
"errorMessage": "RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Error: exit status 1"
}
Function Logs
2023-02-15T18:15:10.999Z [INFO] vault-lambda-extension: Initialising
2023-02-15T18:15:11.006Z [ERROR] Fatal error, exiting: error="error logging in to Vault: read tcp 169.254.76.1:39510->10.16.1.55:8200: read: connection reset by peer"
EXTENSION Name: vault-lambda-extension State: Started Events: []
2023-02-15T18:15:12.712Z [INFO] vault-lambda-extension: Initialising
2023-02-15T18:15:12.773Z [ERROR] Fatal error, exiting: error="error logging in to Vault: read tcp 169.254.76.1:39514->10.16.1.55:8200: read: connection reset by peer"
EXTENSION Name: vault-lambda-extension State: Started Events: []
START RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Version: $LATEST
RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Error: exit status 1
Extension.Crash
END RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c
REPORT RequestId: b16468f9-009c-4b1a-91ca-8b0899e01b7c Duration: 1694.95 ms Billed Duration: 1695 ms Memory Size: 128 MB Max Memory Used: 24 MB
As you can see the address IP of the lambda is 169.254.76.1 while it has been set to be in private subnet in my Dev VPC.
The role (modified) set for this lambda is
{
"partial": false,
"policies": [
{
"arn": "arn:aws:iam::123456789012:policy/aws_iam_policy_lambda_vault_lab",
"document": {
"Statement": [
{
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"id": "ANPATRANPATRANPATRANPAT",
"name": "aws_iam_policy_lambda_vault_lab",
"type": "managed"
}
],
"resources": {
"ec2": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2a...CAgPC9nPgogIDwvZz4KPC9zdmc+Cg==",
"name": "Amazon EC2"
},
"statements": [
{
"action": "ec2:DescribeNetworkInterfaces",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:CreateNetworkInterface",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:DeleteNetworkInterface",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:DescribeInstances",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:AttachNetworkInterface",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:DescribeSecurityGroups",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:DescribeSubnets",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "ec2:DescribeVpcs",
"effect": "Allow",
"resource": "*",
"service": "ec2",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
}
]
},
"logs": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAg...z4KICA8L2c+Cjwvc3ZnPgo=",
"name": "Amazon CloudWatch Logs"
},
"statements": [
{
"action": "logs:CreateLogGroup",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:CreateLogStream",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:DescribeLogGroups",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:DescribeLogStreams",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:PutLogEvents",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:GetLogEvents",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
},
{
"action": "logs:FilterLogEvents",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "aws_iam_policy_lambda_vault_lab",
"policyType": "managed"
}
}
]
}
},
"roleName": "lambda_role_vault_lab",
"trustedEntities": [
"lambda.amazonaws.com"
]
}
I don't include the python code has the lambda crashs before starting executing it. For info, I tried a few changes in the policy without any effects. Has someone an idea where I did go wrong?
Elevate Your Expertise with Microservices Certification!
