10

I've got a bit of javascript which runs on my local machine but doesn't work from within the Lambda.

It timeouts when calling cognitoidentity.getOpenIdTokenForDeveloperIdentity

{
  "errorMessage": "2016-03-17T16:50:25.181Z 4fa3fa5a-ec60-11e5-8316-415fa39313da Task timed out after 15.00 seconds"
}

On local it works fine (calling into AWS production services) so it must be the policy I have attached to the Lambda.

Here are the policies I have:

AmazonCognitoDeveloperAuthenticatedIdentities

AWSLambdaVPCAccessExecutionRole

And this is the custom one I also have:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:eu-west-1:myaccountid:function:users_login"
            ]
        }
    ]
}

The Lambda ARN was copied directly from that Lambda screen. Any ideas of what's missing?

Daniel Wardin
  • 1,840
  • 26
  • 48

1 Answers1

19

it must be the policy I have attached

No, if that were the case you would be getting a permission denied error, not a timeout.

It looks like your Lambda function has VPC access. You need to configure a NAT gateway for your VPC in order for the Lambda function to have access to anything outside the VPC, including AWS services like Cognito.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Any example of what you did to fix it ? – NeoPix Jan 12 '18 at 10:00
  • 4
    @NeoPix this post was instrumental in helping me out of a similar situation: [https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/](https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/) – SqlOnly Jan 16 '19 at 18:07