So I have created a lambda function (the purpose of which doesn't matter anymore) and have tested that it works when run from my laptop. However the bigger problem is that I cannot get it to run off of a test event or on a schedule in AWS.
When I try to run it from AWS I get a 300s timeout error.
The following is included for your consideration:
Trigger Event
VPC Related Configuration
If anyone can tell me what the issue might be, I would appreciate it as I have been searching for the solution for about 3 days.
from __future__ import print_function
def lambda_handler(event, context):
if event["account"] == "123456789012":
return event['time']
import boto3
import datetime
def find_auto_scaling_instances():
Find Auto-scaling Instances
for group in auto_scaling["AutoScalingGroups"]:
if number_of_instances == 0:
for i in range(number_of_instances):
if group["Instances"][i]["LifecycleState"] == "InService":
return dict
def find_staging_instances():
Find Static Instances
for i in range(num_of_instances):
for tag in range(number_of_tags):
if target["Tags"][tag]["Value"] in tag_list:
return stg_list
def volumes_per_instance():
Find the EBS associated with the Instances
for i in range(num_of_instances):
if target["InstanceId"] in instance_list:
for disk in range(len(target["BlockDeviceMappings"])):
return instance_disk
#Group instances together and prepare to process
for group in instance_in_asgroup_dict:
#Gather Disk Information
date=str(" \
#Create Disk Images
for instance in instance_list:
if instance in as_instance_list:
Description="AMI for instance "+instance+".",
Description="AMI for instance "+instance+".",
START RequestId: 0ca9e0a3-7f11-11e6-be11-6974d9213102 Version: $LATEST
END RequestId: 0ca9e0a3-7f11-11e6-be11-6974d9213102
REPORT RequestId: 0ca9e0a3-7f11-11e6-be11-6974d9213102 Duration: 300001.99 ms Billed Duration: 300000 ms Memory Size: 128 MB Max Memory Used: 24 MB
2016-09-20T09:08:30.544Z 0ca9e0a3-7f11-11e6-be11-6974d9213102 Task timed out after 300.00 seconds
"account": "123456789012",
"region": "us-east-1",
"detail": {},
"detail-type": "Scheduled Event",
"source": "",
"time": "1970-01-01T00:00:00Z",
"id": "cdc73f9d-aea9-11e3-9d5a-835b769c0d9c",
"resources": [
From my understanding all I need to allow VPC Access to my function is to add the following privilages to the lambda function's assigned policy.
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "*"
"Action": [
"Effect": "Allow",
"Resource": "*"
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:logs:*:*:*"
] }
The subnets, security groups and VPC attached to the function.
Mark Gave an excellent answer, informing me that I had set my function up to run inside a VPC yet I was not accessing resources within the VPC. Rather, I was accessing the Amazon API endpoint which required that I have access to the internet or the transaction would timeout.
As such, there were two options available to fix this situation.
Remove my VPC settings
Create a NAT Gateway inside my VPC
I chose the one that costs the least money.
You enabled VPC access for your Lambda function. So now it only has access to resources inside your VPC. Note that the AWS API exists outside your VPC. Any attempt to access something outside your VPC is going to result in a network timeout. That's why you are seeing the timeout issues.
To fix this, you can move the Lambda function outside the VPC, or you can add a NAT Gateway to your VPC. I'm not seeing anything in your code that is accessing anything inside your VPC, so it's probably cheapest and easiest to just remove the VPC settings from the Lambda function.
I have created a cloud function that when triggered is supposed to create a VM instance and run a python script.
However, the VM is not being created.
I can see the following message in the CF log, to do with my deployment:
resource.type = "cloud_function"
resource.labels.region = "europe-west2"
However, for the life of me, I can't see where to go to actually view the error itself.
I then Googled and found the following thread about an issue where Cloud Functions is not showing any logs.
Thinking it may be the same issue I added the recommended environment variables to my deployment but still I cant find the error anywhere in the logs.
Can anyone point me in the right direction?
Here is my cloud function code as well:
import os
from googleapiclient import discovery
from google.oauth2 import service_account
scopes = [""]
sa_file = "key.json"
zone = "europe-west2-c"
project_id = "<<proj id>>" # Project ID, not Project Name
credentials = service_account.Credentials.from_service_account_file(
sa_file, scopes=scopes
# Create the Cloud Compute Engine service object
service ="compute", "v1", credentials=credentials)
def create_instance(compute, project, zone, name):
# Get the latest Debian Jessie image.
image_response = (
.getFromFamily(project="debian-cloud", family="debian-9")
source_disk_image = image_response["selfLink"]
# Configure the machine
machine_type = "zones/%s/machineTypes/n1-standard-1" % zone
config = {
"name": name,
"machineType": machine_type,
# Specify the boot disk and the image to use as a source.
"disks": [
"kind": "compute#attachedDisk",
"type": "PERSISTENT",
"boot": True,
"mode": "READ_WRITE",
"autoDelete": True,
"deviceName": "instance-1",
"initializeParams": {
"sourceImage": "projects/my_account/global/images/instance-image3",
"diskType": "projects/my_account/zones/europe-west2-c/diskTypes/pd-standard",
"diskSizeGb": "10",
"diskEncryptionKey": {},
"metadata": {
"kind": "compute#metadata",
"items": [
"key": "startup-script",
"value": "sudo apt-get -y install python3-pip\npip3 install -r /home/will_charles/requirements.txt\ncd /home/will_peebles/\npython3 /home/will_charles/",
"serviceAccounts": [
"email": "",
"scopes": [""],
"networkInterfaces": [
"network": "global/networks/default",
"accessConfigs": [{"type": "ONE_TO_ONE_NAT", "name": "External NAT"}],
"tags": {"items": ["http-server", "https-server"]},
return compute.instances().insert(project=project, zone=zone, body=config).execute()
def run(data, context):
create_instance(service, project_id, zone, "pagespeed-vm-4")
The reason that you do not see anything in the logs for Cloud Functions is that your code is executing but is not logging the results of the API calls.
Your code is succeeding in calling the API to create a compute instance. This does not mean the API succeeded just the call itself. The API returns an operation handle that you then later call to check on status. You are not doing that, so your Cloud Function has no idea that the create instance failed.
To see logs for the create instance API, go to Operations Logging -> VM Instance. Select "All instance_id". If the API to create an instance does not succeed, there will be no instance id to select therefore you have to select all instances and then find logs related to the API call.
I have a python script in our K8s cluster that is run as a k8s Cronjob every few minutes. The script checks the nodes in the cluster and if a node is unhealthy for more than 5 minutes, it terminates the node.
To connect to AWS I use Boto3.
and the permissions are passed as pod annotations.
Annotations: arn:aws:iam::123456789:role/k8s-nodes-monitoring-role
The IAM role has arn:aws:iam::aws:policy/AmazonEC2FullAccess policy and a valid trust policy.
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": ""
"Action": "sts:AssumeRole"
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:role/"
"Action": "sts:AssumeRole"
The problem that I facing is that on some occasions the script throws NoCredentialsError('Unable to locate credentials') error. This behaviour is not consistent as on most occasions the script has successfully terminates the unhealthy node and I can cross-check it against AWS CloudTrail events.
I can see in kub2iam logs that the Get request receives 200 but the Put request receives 403.
ime="2020-12-21T12:50:16Z" level=info msg="GET /latest/meta-data/iam/security-
credentials/k8s-nodes-monitoring-role (200) took 47918.000000 ns" req.method=GET
req.remote= res.duration=47918 res.status=200
time="2020-12-21T12:52:16Z" level=info msg="PUT /latest/api/token (403) took 19352999.000000
ns" req.method=PUT req.path=/latest/api/token req.remote=
res.duration=1.9352999e+07 res.status=40
Any help or idea about how to debug this will be highly appreciated.
I dont know kube2iam in detail, but maybe you should switch to a AWS native way called IRSA (IAM Roles for Service Accounts). You can find all necessary information in this blog post:
I have a lambda stack that is deployed in account A, and a stepfunction stack deployer in account B. Now How do I invoke this stepfunction from the lambda using python cdk? specifically what permissions do i need to give them?
The lambda (Account A) has an IAM role(RoleA) assigned. The Step function (Account B) has an IAM role (RoleB) assigned.
The lambda's IAM role should have permission to assume the role from (Account B)
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
The Step functions IAM role(Role B) should have a trusted policy that allows the Lambda's IAM role to assume it. in the following trust policy 123456789012 is the account number of Account A
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": [
"Action": "sts:AssumeRole"
Inside the lambda
The lambda should have code that assumes the role(Role B) from Account B and get temporary credentials
Using those credentials the lambda should invoke the step function.
How to assume an IAM role in a different account from lambda
If you want to trigger something when a cdk deployment happens:
Seems a bizarre use-case but I think the solution here is to define a custom resource.
Both cdk and cloudformation support that:
Because you are using a custom resource you would need to further handle Create, Update, Delete events by yourself. Similarly send completion responses, I would advice you to use cfnresponsemodule to send back completion responses otherwise cdk will never be able to tell when your custom resource function completed:
I'm using Amazon S3 in a Flask Python application, however, I don't want to hardcode my access keys as Amazon has problems with making the keys publicly available. Is there a way to get the keys into the application without exposing them. I saw a suggestion about using environment variables and another about IAM User roles but the documentation isn't helping.
Edit: I forgot to mention that I'm deploying this application on Docker and want to allow it so that if another user pulls the image from docker, my access keys won't be compromised. I'm not using AWS EC2
Following could be of help:
IAM Roles (If your application is already running in AWS, Instance Roles can help you fetch temporary tokens to access resources like S3. AWS CLIs OR official SDKs are already built with these capabilities and you need not implement any custom code. For this to work, you assign a Role 'X' to the EC2 instance, Role 'X' then needs to have a policy mapping, where you define the permissions)
A sample policy could be something like:
"Version": "2012-10-17",
"Statement": [
"Sid": "AllowAccessToObjects",
"Action": [
"Effect": "Allow",
"Resource": [
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"Sid": "AllowAccessToBucket",
"Action": [
"Effect": "Allow",
"Resource": [
"Condition": {
"IpAddress": {
"aws:SourceIp": [
Usually the best approach is to never have any statically provisioned credentials at all. In case implementing something like that is not possible at all, then :
Other options could be storing the secrets in an external secret store like Vault etc., and when the container starts, the secrets can be fetched and injected before bootstrapping the application. These are then available as ENVs
The Python AWS SDK looks at several possible locations for credentials. The most pertinent here would be environment variables:
Boto3 will check these environment variables for credentials:
The access key for your AWS account.
The secret key for your AWS account.
You should create separate IAM users with appropriate permissions for each user or team you're going to distribute your docker image to, and they can set those environment variables via docker when running your image.
Little background info,
I have built an interactive website where users can upload images to S3. I built it so the image upload goes right from the browser to AWS S3 using a signed request ( python django backend ).
Now the issue is, the users wish to be able to rotate the image. I Similarly I would like this set up so the user's request goes straight from the browser. I built an AWS Lambda function and attached it to a web api, which will accept POST requests. I have been testing and I finally got it working. The function takes 2 inputs, key, and rotate_direction, which are passed as POST variables to the web api. They come into the python function in the event variable. Here is the simple Lambda function:
from __future__ import print_function
import boto3
import os
import sys
import uuid
from PIL import Image
s3_client = boto3.client('s3')
def rotate_image(image_path, upload_path, rotate_direction):
with as image:
if rotate_direction == "right":
def handler(event, context):
bucket = 'the-s3-bucket-name'
key = event['key']
rotate_direction = event['rotate_direction']
download_path = '/tmp/{}{}'.format(uuid.uuid4(), key)
upload_path = '/tmp/rotated_small-{}'.format(key)
s3_client.download_file(bucket, key, download_path)
rotate_image(download_path, upload_path, rotate_direction)
s3_client.delete_object(Bucket=bucket, Key=key)
s3_client.upload_file(upload_path, bucket, key)
return { 'message':'rotated' }
Everything is working. So now my issue is how to enforce some kind of authentication for this system? The ownership details about each image reside on the django web server. While all the images are considered "public", I wish to enforce that only the owner of each image is allowed to rotate their own images.
With this project I have been venturing into new territory by making content requests right from the browser. I could understand how I could control access by only making the POST requests from the web server, where I could validate the ownership of the images. Would it still be possible having the request come from the browser?
TL;DR Solution: create a Cognito Identity Pool, assign policy users can only upload files prefixed by their Identity ID.
If I understand your question correctly, you want to setup a way for an image stored on S3 to be viewable by public, yet only editable by the user who uploaded it. Actually, you can verify file ownership, rotate the image and upload the rotated image to S3 all in the browser without going through a Lambda function.
Step 1: Create a Cognito User Pool to create a user directory. If you already have a user login/sign up authentication system, you could skip this step.
Step 2: Create a Cognito Identify Pool to enable federated identity, so your users can get a temporary AWS credential from the Identity Pool, and use it to upload files to S3 without going through your server/lambda.
Step 3: When creating the Cognito Identity Pool, you can define a policy on what S3 resources a user is allowed to access. Here is a sample policy
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": [
"Effect": "Allow",
"Action": [
"Resource": [
"Effect": "Allow",
"Action": [
"Resource": [
Note the second block assigns "S3:GetObject" to all files in your S3 bucket; and the third block assigns "S3:PutObject" to ONLY FILES prefixed with the user's Cognito Identity ID.
Step 4: In frontend JS, get a temporary credential from Cognito Identity Pool
export function getAwsCredentials(userToken) {
const authenticator = `cognito-idp.${config.cognito.REGION}${config.cognito.USER_POOL_ID}`;
AWS.config.update({ region: config.cognito.REGION });
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: config.cognito.IDENTITY_POOL_ID,
Logins: {
[authenticator]: userToken
return new Promise((resolve, reject) => (
AWS.config.credentials.get((err) => {
if (err) {
Step 5: Upload files to S3 with the credential, prefix the file name with the user's Cognito Identity ID.
export async function s3Upload(file, userToken) {
await getAwsCredentials(userToken);
const s3 = new AWS.S3({
params: {
Bucket: config.s3.BUCKET,
const filename = `${AWS.config.credentials.identityId}-${}-${}`;
return new Promise((resolve, reject) => (
Key: filename,
Body: file,
ContentType: file.type,
ACL: 'public-read',
(error, result) => {
if (error) {