Can't find a constant-time module in cryptography package used on AWS Lambda

Question

[I am new to Python 2.7 and AWS Lambda, any help is appreciated]

I followed the AWS Lambda tutorial and created a virtualenv to include Python libs associated with the use of paramiko to copy a file to an SFTP server as a scheduled task on AWS Lambda to run the following script:

import paramiko

def worker_handler(event, context):

    host = "sftpserver.testdpom.com" 
    port = 22
    transport = paramiko.Transport((host, port))

    sftp = paramiko.SFTPClient.from_transport(transport)

    username = "xxxx"
    password = "xxxxxx"

    transport.connect(username = username, password = password)

    sftp = paramiko.SFTPClient.from_transport(transport)

    sftp.put("test.txt", "test.txt")
    sftp.close()
    transport.close()

    return
    {
        'message' : "Script execution completed. See Cloudwatch logs for complete output"
    }

The python script works correctly on my local machine but when I test the package on AWS Lambda, I get the error "ImportError: No module named _constant_time" and stack trace below.

Can you think of any possible reason for this error in AWS Lambda environment?

  File "/var/task/paramiko/kex_group1.py", line 111, in _parse_kexdh_reply
    self.transport._verify_key(host_key, sig)
  File "/var/task/paramiko/transport.py", line 1617, in _verify_key
    key = self._key_info[self.host_key_type](Message(host_key))
  File "/var/task/paramiko/rsakey.py", line 58, in __init__
    ).public_key(default_backend())
  File "/var/task/cryptography/hazmat/backends/__init__.py", line 35, in default_backend
    _default_backend = MultiBackend(_available_backends())
  File "/var/task/cryptography/hazmat/backends/__init__.py", line 22, in _available_backends
    "cryptography.backends"
  File "/var/task/pkg_resources/__init__.py", line 2235, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/var/task/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/var/task/cryptography/hazmat/backends/openssl/backend.py", line 15, in <module>
    from cryptography import utils, x509
  File "/var/task/cryptography/x509/__init__.py", line 7, in <module>
    from cryptography.x509.base import (
  File "/var/task/cryptography/x509/base.py", line 15, in <module>
    from cryptography.x509.extensions import Extension, ExtensionType
  File "/var/task/cryptography/x509/extensions.py", line 19, in <module>
    from cryptography.hazmat.primitives import constant_time, serialization
  File "/var/task/cryptography/hazmat/primitives/constant_time.py", line 9, in <module>
    from cryptography.hazmat.bindings._constant_time import lib
ImportError: No module named _constant_time

Answer 1

Since lambda runs under the hood on amazon linux instances, you basically need to:

1. spin up an amazon linux ec2 instance
2. create a virtualenv and pip install all packages you need
3. scp the files down to wherever your local deployment package lives

This all happens due to issues with how pip install does things differently depending on whether you're on linux or mac (and I'm assuming windows as well).

here's a startup script to get the ec2 instance up to speed afaik

#!/bin/bash

sudo yum upgrade -y
sudo yum group install -y "Development tools"

sudo yum install -y \
    python27 \
    libffi libffi-devel \
    openssl openssl-devel

virtualenv venv
source venv/bin/activate

pip install paramiko

The paramiko package will be in /path/to/venv/lib/python2.7/site-packages/paramiko and the cryptography stuff will be in path/to/venv/lib64/python2.7/cryptography.

I've been using a combination of pip install on my local mac and doing this when a package doesn't work (like for paramiko and psycopg2), and there are a few other helpful packages that people have pre-compiled and put up on github elsewhere specifically for lambda.

HTH!