How do I fix the configuration of my lambda so it can invoke another lambda?

0

Hello all, I'm having some issues with invoking a lambda function within another lambda.

I've got a lambda function (parent function) triggered by an API gateway, which is properly working. As well as a second lambda (child function) that is triggered by an S3 bucket. I'm trying to invoke the child function from the parent function. I have configured the security groups and the roles to make sure that the function has permission to invoke the function. They are both inside a VPC, on the same security group which has everything allowed, and I created an endpoint for the lambdas so they can communicate within the VPC.

Despite all of this configuration, which aligned with any documentation and tutorials I could find, I still seem to be making no progress. When attempting a DryRun invocation, the parent lambda still times out while attempting to complete the DryRun.

Here's the code I'm using to invoke the child lambda.

response = lambda_client.invoke(
                FunctionName = "arn-goes-here,
                InvocationType = 'DryRun',
                Payload = json.dumps(payload)
            )

If there is perhaps another service I forgot to configure, or an extra step I might need to take, any insight is greatly appreciated. Thank you for your time.

2 Answers
0

I am Interested in your VPC setup along with the security groups on your endpoints you believe are for lambda.

How your route tables look. Your endpoint settings. The security groups assigned to the endpoints and their settings.

profile picture
EXPERT
answered a year ago
  • Hi Gary,

    Both lambdas are connected to the same VPC, subnets, and security group. And the security group was explicitly given permission to call itself. As for the permissions, though the execution roles are different, both are given the permission to call InvokeFunction. The VPC is also connected to endpoints that can access both subnets and the security group is the same as the security group attached for the two lambdas. The policy attached to the endpoint also allows for InvokeFunction to bet called.

0

In order to invoke the second function your parent function must have access to the Lambda public API endpoint. If your parent function is in a VPC, you must create a VPC endpoint for the Lambda service or create a NAT Gateway.

The fact that both function are attached to the same VPC does not matter as the only way to invoke a Lambda function is using the Lambda Invoke API, which is exposed as a public endpoint.

Saying all that, not that it is usually not a best practice to invoke a function from a function, specifically, if you are invoking the second function synchronously. The reason is that while the second function is running the parent function is waiting idle for the response and you pay for that time.

profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions