Can not access S3 via VPC endpoint in Lambda

Question

I have a Lambda function in my VPC, and I want to access S3 bucket.

I have setup the S3 VPC endpoint correctly, I think, because I created an EC2 instance in the same subnet and security group as the Lambda function. When I ran a copy of Lambda function code on the EC2 instance, it can correctly showed the S3 file content.

But when I run the code in Lambda, it failed. So, I want to know what is the difference between "run in EC2" and "run in Lambda"? Why did it fail when I ran it in Lambda?

Here is my Lambda function code:

    import boto3
    
    s3 = boto3.client('s3', region_name='ap-northeast-1')
    
    def lambda_handler(event, context):
        bucket = '*xxxxxx*'
        key = 's3-upload.json'
        try:
            response = s3.get_object(Bucket=bucket, Key=key)
            print('--------------------------------------')
            print(response)
            print('--------------------------------------')
            body = response['Body'].read()
            print(body)
            print('--------------------------------------')
            print("CONTENT TYPE: " + response['ContentType'])
            
        except Exception as e:
            print('Error getting object.')
            print(e)
            raise e

Answer 1

If you want to allow an AWS Lambda to access Amazon S3, use one of these methods:

• Do not associate the function to a VPC. Access is then automatic.
• If the function is attached to a public subnet in the VPC, associate an Elastic IP to the Lambda function's ENI that appears in the VPC (Not recommended)
• If the function is attached to a private subnet in the VPC, launch a NAT Gateway in the public subnet and update Route Tables. Traffic will flow to the Internet via the NAT Gateway.
• Add an Amazon S3 VPC Endpoint in the VPC and update Route Tables. Traffic will flow through that instead of the Internet Gateway.