Lambda in VPC can not access DigitalOcean S3 resources

Question

I have Lambda that is deployed in the default VPC, that VPC has open Endpoint to S3 service, Lambda has an IAM role that widely opens all S3 operations

iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "rds:*"
      - "ec2:CreateNetworkInterface"
    Resource: "*"
  - Effect: Allow
    Action:
      - s3:*
    Resource: "*"

I am accessing S3 SDK in NodeJS via:

const {
  DIGITAL_OCEAN_SPACES_ENDPOINT,
  DIGITAL_OCEAN_SPACES_ACCESS,
  DIGITAL_OCEAN_SPACES_REGION,
  DIGITAL_OCEAN_SPACES_SECRET,
  DIGITAL_OCEAN_SPACES_BUCKET_NAME,
} = process.env;

const spacesEndpoint = new Endpoint(DIGITAL_OCEAN_SPACES_ENDPOINT);
const S3Client = new S3({
  accessKeyId: DIGITAL_OCEAN_SPACES_ACCESS,
  endpoint: spacesEndpoint,
  region: DIGITAL_OCEAN_SPACES_REGION,
  secretAccessKey: DIGITAL_OCEAN_SPACES_SECRET,
});

and Lambda times out - it can not connect to DigitalOcean S3 buckets. What else I need to add to have the ability to access DO?

Answer 1

Lambda function in a VPC does not have internet access nor public IP. From docs:

Connecting a function to a public subnet does not give it internet access or a public IP address.

To rectify the issue you should "place" your function it in a private subnet (not public) and use NAT gateway/instance with correctly configured route tables to provide the access.

Since you've used default VPC with all subnets public, you need to create a new subnet, which would be private, as using public subnets will not work. Then you need NAT gateway/device correctly setup. Alternatively, don't place your function in the VPC.