45

I am trying to connect AWS Lambda function to RDS mysql database.
I just wanted to update the database from my lambda function. Is it possible to access RDS by specifiying IAM Role and access Policy?.
I can connect to mysql databse using mysql client.but when i try on lambda i can't do that. here is my code. 

console.log('Loading function');
var doc = require('dynamodb-doc');
var dynamo = new doc.DynamoDB();
var mysql = require('mysql');
exports.handler = function(event, context) {
    //console.log('Received event:', JSON.stringify(event, null, 2));  
    var operation = event.operation;
    delete event.operation;
    switch (operation) {
        case 'create':
            var conn = mysql.createConnection({
                host: 'lamdatest.********.rds.amazonaws.com', // RDS endpoint 
                user: 'user', // MySQL username 
                password: 'password', // MySQL password 
                database: 'rdslamda'
            });
            conn.connect();
            console.log("connecting...");
            conn.query('INSERT INTO login (name,password) VALUES("use6","password6")', function(err, info) {
                console.log("insert: " + info.msg + " /err: " + err);
            });
            console.log("insert values in to database");
            break;
        case 'read':
            dynamo.getItem(event, context.done());
            break;

        default:
            context.fail(new Error('Unrecognized operation "' + operation + '"'));

    }
    context.succeed();
};
Improve this question
3
  • You can't use IAM Role to access your RDS.
    – adamkonrad
    Commented Aug 5, 2015 at 3:03
  • so what is the procedure to connect to RDS mysql?
    – ARUNBALAN NV
    Commented Aug 7, 2015 at 11:35
  • You need to make your RDS public (not in VPC) and then use one of it's public hostnames to connect to it.
    – adamkonrad
    Commented Aug 7, 2015 at 16:19

4 Answers 4

Reset to default
78

Yes. You can access a MySql RDS database from AWS Lambda.

You can use node-mysql library.

However, there is a big caveat that goes with it.

AWS Lambda does not (currently) have access to private subnets inside a VPC. So in order for AWS Lambda to access your RDS database, it must be publicly accessible, which could be a security risk for you.

Update (2015-10-30): AWS Lambda announced upcoming VPC support (as of re:Invent 2015), so this won't be an issue for much longer.

Update (2015-11-17): AWS Lambda still does not have VPC support.

Update (2016-02-11): AWS Lambda can now access VPC resources:

https://aws.amazon.com/blogs/aws/new-access-resources-in-a-vpc-from-your-lambda-functions/

To achieve this functionality, your Lambda function will actually execute inside your VPC in a subnet. Some caveats come with this functionality:

  • The VPC subnet needs enough free IP addresses to handle Lambda's scaling
  • If your Lambda function needs internet access, then it's designated VPC subnet will need an Internet Gateway or NAT
Improve this answer
13
  • okay. now i am trying to do so.but there is an error shows when i try to include mysql module in my lambda function. like this : var mysql= require("mysql"); . It show error like "errorMessage": "Cannot find module 'mysql'
    – ARUNBALAN NV
    Commented Aug 5, 2015 at 6:56
  • 1
    Then you're not including the module in your deployment package correctly. Make sure you're including it in your ZIP package (in the node_modules sub-folder).
    – Matt Houser
    Commented Aug 5, 2015 at 12:16
  • i included the zip folder which contains my index.js file and node_modules folder. but it shows error message like below { "errorMessage": "Cannot find module 'index'", "errorType": "Error" etc..
    – ARUNBALAN NV
    Commented Aug 7, 2015 at 5:03
  • 2
    This is the errro.error connecting: Error: connect ETIMEDOUT at Connection._handleConnectTimeout (/var/task/node_modules/mysql/lib/Connection.js:373:13)
    – ARUNBALAN NV
    Commented Aug 10, 2015 at 13:08
  • 2
    Even though it's protected by password, it's still open to possible abuse to mysql exploits, DoS, etc. Preventing open connections is more secure. It all depends on the data that you're holding. eg. Even if password protected, financial institutions would never have a server open to the world.
    – Matt Houser
    Commented Dec 6, 2015 at 15:28
6

try this tutorial: http://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html

In this tutorial, you do the following:

Launch an Amazon RDS MySQL database engine instance in your default Amazon VPC.

In the MySQL instance, you create a database (ExampleDB) with a sample table (Employee) in it.

Create a Lambda function to access the ExampleDB database, create a table (Employee), add a few records, and retrieve the records from the table.

Invoke the Lambda function manually and verify the query results.

Improve this answer
4

Since Lambda uses Node.js, Java and Python as a backend programming/scripting language, you can definitely use it to connect to RDS. (Link)

Finally, This is the documentation on specifying IAM Roles when connecting to RDS. (See image below):

enter image description here

Improve this answer
4
  • okay. now i am trying to do so.but it shows an error when i try to include mysql module in my lambda function. like this : var mysql= require("mysql"); . It show error like "errorMessage": "Cannot find module 'mysql'
    – ARUNBALAN NV
    Commented Aug 5, 2015 at 7:01
  • It's incorrect to point to IAM Roles for RDS. RDS connection from Lambda is not inside a VPC. You need to setup your RDS as public and use regular MySQL credentials to connect to it.
    – adamkonrad
    Commented Aug 7, 2015 at 17:17
  • I just pointed out the documentation. The downvote was definitely not needed here. Also, the original post had nothing to do with a VPC.
    – Jordan
    Commented Aug 7, 2015 at 18:10
  • okay.thanks. But when i running the lambda function it can't connect to my RDS mysql database. I am using the security group rule like this. Type: MYSQL/Aurora, Protocol:TCP, PortRange:3306, Source: 0.0.0.0/0 .
    – ARUNBALAN NV
    Commented Aug 10, 2015 at 6:57
2

I just wanted to update the database from my lambda function. Is it possible to access RDS by specifiying IAM Role and access Policy?.

No you cannot. You need to provide DB url/username/password to connect. You may need to run Lambda in same VPC if it is in private subnet. See my pointers below.

I can connect to mysql databse using mysql client.but when i try on lambda i can't do that.

This is strict No , No! Your RDS should not be accessible from Internet unless you really need it. Try to run it in private subnet and configure other AWS services accordingly.

Two cents from my end if you are getting timeouts accessing resourced from Lambda-

  1. By default Lambda has internet access and can access online resources.
  2. Lambda cannot access services rurnning in private subnet of your VPC.
  3. To connect to services in private subnet you need to run the lambda is private subnet. For this you need to go to Network section and configure your VPC, subnets and security group.
  4. However note that when you do this you will loose Internet access. If you still need Internet access you will have to spin up a NAT gateway or NAT instance in public subnet and configure route from private subnet to this NAT.
  5. I faced this when I was trying to connect to RDS in private subnet from my lambda. Since I used KMS to encrypt some environment variables and decryption part requires Internet access I had to use a NAT gateway.

More details - http://docs.aws.amazon.com/lambda/latest/dg/vpc.html#vpc-internet

How to connect to postgres RDS from AWS Lambda

PS: Above links go to my personal blog that has additional relevant information.

Improve this answer
2

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.