Cannot connect to RDS with appropriate policies

I cannot connect to my RDS instance when running the function, but can when running it locally. Here is my yaml file which is in the same VPC as the instance. I ended up manually adding the AmazonRDSFullAccess policy and still no no avail.

service: wholesale-logging

provider:
  name: aws
  runtime: nodejs4.3
  stage: dev
  profile: lab
  vpc:
    securityGroupIds:
      - sg-NNNNNNNN
      - sg-NNNNNNNN
    subnetIds:
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
      - subnet-NNNNNNNN
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "rds:*"
      Resource: "*"
functions:
  create:
    handler: functions/logger/log.create
    events:
      - http:
          path: log
          method: post

and the function code:

'use strict';
const Massive = require('massive');
const db = Massive.connectSync({connectionString: 'postgres://delorean:back-to-the-future@wholesale-logging.cclyw00l55b3.us-east-1.rds.amazonaws.com:5432/logging'})

module.exports.create = (event, context, callback) => {
  db.app.find({}, (err, apps) => {
    console.log(apps)

    const response = {
      statusCode: 200,
      body: {
        data: 'test'
      }
    };

    callback(null, response);
  });
};

It’s most likely that it’s not an IAM policy issue - it’s much more likely to be a networking issue.

It looks like you’ve all the right pieces of config from a serverless.yml point of view, but I can’t see the RDS networking configuration.

The things to check (in order):

  1. Subnets: of your functions and database.
  2. Routing table: confirm that your function subnet can route to your database subnet.
  3. NACLs: if you have them (hopefully you don’t).
  4. Security groups: remember to check both inbound and outbound (aka. ingress/egress) on both sides of the equation.

If you have VPC Flow Logs enabled, look for the IP (and port 5432 for pgsql) of the ENI your functions are using to see if the connection is being attempted. If you don’t have flow logs, turn them on!

Hope that helps.

  1. I took the subnets and security group IDs straight from the RDS instance, so they are exactly the same. We use these to stand up every test, so these have connected before, just not when made with Serverless 1.x

  2. They are on the same subnets

  3. All in the same NACL which allows all traffic (our cloud team set these up)

  4. Inbound and outbound are set correctly

All in all, we have used these before on other projects and it work except for this one.