How do I troubleshoot 502 and 500 errors when I invoke my Lambda function?
Last updated: 2019-09-25
When I try to invoke my AWS Lambda function, the request fails with a 502 or 500 server-side error. How do I troubleshoot these errors?
Identify the specific Lambda Invoke API error that you're getting, and then follow the troubleshooting steps for the error. For a list of possible errors with descriptions, see Errors in the Lambda Invoke API reference.
Your Lambda function's execution role must have these permissions to access Amazon Elastic Compute Cloud (Amazon EC2) in an Amazon Virtual Private Cloud (Amazon VPC):
AWS throttles Amazon EC2 API requests for each AWS account on a per-Region basis to help the performance of the service. For more information, see Query API Request Rate.
Use Amazon CloudWatch to review the amount of Amazon EC2 API requests made on your AWS account. If your account exceeds the maximum allowed request rate, reduce the amount of these requests that you make outside of Lambda.
This error most commonly occurs when Lambda receives a 500 error while trying to create an elastic network interface (ENI). Retry your request using an exponential backoff algorithm. For more information, see Error Retries and Exponential Backoff in AWS.
Confirm that you specified the correct Amazon VPC security group ID in your Lambda function configuration. For more information, see Configuring a Lambda Function to Access Resources in a VPC.
Amazon VPC-enabled Lambda functions create ENIs in associated subnets. As these functions scale out, more ENIs are created. There are per-account and per-Region ENI limits. To view your current limit, see Limits in the Amazon EC2 console.
Your Amazon VPC must have enough ENI capacity to meet your Lambda function's requirements. To estimate your function's ENI requirements, use this formula:
Projected peak concurrent executions * (Memory in GB / 3 GB)
If your Amazon VPC's current ENI limit doesn't meet your requirements, you can request a limit increase through the AWS Support Center. (Under Requests, for Limit, choose Network Interfaces per Region.)
A subnet's size is defined by its CIDR block. Be sure that the CIDR blocks that you specify in your Amazon VPC have enough free IP addresses for your Amazon VPC-enabled Lambda function's requirements. For more information, see VPC and Subnet Sizing.
If you're using a custom key policy for the customer master key (CMK), the IAM policy for your Lambda function's execution role must allow the action kms:Decrypt. If you're using the default key policy, then your Lambda execution role already has sufficient permissions for AWS KMS access.
For more information, see Using Key Policies in AWS KMS.
Verify that the CMK is enabled. For more information, see Enabling and Disabling Keys.
For more information, see How Key State Affects Use of a Customer Master Key.
The CMK specified in your request must be in the same AWS Region and account as your Lambda function. If the Region is different, use another CMK (or create a new CMK) in the same Region.
Check the permissions on your Lambda deployment package. For more information, see How do I troubleshoot Lambda "permission denied" or "unable to import module" errors when uploading a deployment package?
Also, confirm that you created the deployment package file correctly. For more information, see Creating a Deployment Package.
On rare occasions, the Lambda service itself can encounter an internal error. If you get a 500 error, check the AWS Service Health Dashboard to determine if Lambda is unavailable. For more information, see Is AWS down?
If Lambda is available, retry the request to invoke your Lambda function. If the issue persists, contact AWS Support from the AWS Support Center.