How do I troubleshoot 502 and 500 errors when I invoke my Lambda function?

Last updated: 2019-09-25

When I try to invoke my AWS Lambda function, the request fails with a 502 or 500 server-side error. How do I troubleshoot these errors?

Resolution

Identify the specific Lambda Invoke API error that you're getting, and then follow the troubleshooting steps for the error. For a list of possible errors with descriptions, see Errors in the Lambda Invoke API reference.

EC2AccessDeniedException

Your Lambda function's execution role must have these permissions to access Amazon Elastic Compute Cloud (Amazon EC2) in an Amazon Virtual Private Cloud (Amazon VPC):

  • ec2:CreateNetworkInterface
  • ec2:DescribeNetworkInterfaces
  • ec2:DeleteNetworkInterface

These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole. For more information, see Execution Role and User Permissions.

EC2ThrottledException

AWS throttles Amazon EC2 API requests for each AWS account on a per-Region basis to help the performance of the service. For more information, see Query API Request Rate.

Use Amazon CloudWatch to review the amount of Amazon EC2 API requests made on your AWS account. If your account exceeds the maximum allowed request rate, reduce the amount of these requests that you make outside of Lambda.

EC2UnexpectedException

This error most commonly occurs when Lambda receives a 500 error while trying to create an elastic network interface (ENI). Retry your request using an exponential backoff algorithm. For more information, see Error Retries and Exponential Backoff in AWS.

InvalidSecurityGroupIDException

Confirm that you specified the correct Amazon VPC security group ID in your Lambda function configuration. For more information, see Configuring a Lambda Function to Access Resources in a VPC.

ENILimitReachedException

Amazon VPC-enabled Lambda functions create ENIs in associated subnets. As these functions scale out, more ENIs are created. There are per-account and per-Region ENI limits. To view your current limit, see Limits in the Amazon EC2 console.

Your Amazon VPC must have enough ENI capacity to meet your Lambda function's requirements. To estimate your function's ENI requirements, use this formula:

Projected peak concurrent executions * (Memory in GB / 3 GB)

If your Amazon VPC's current ENI limit doesn't meet your requirements, you can request a limit increase through the AWS Support Center. (Under Requests, for Limit, choose Network Interfaces per Region.)

SubnetIPAddressLimitReachedException

A subnet's size is defined by its CIDR block. Be sure that the CIDR blocks that you specify in your Amazon VPC have enough free IP addresses for your Amazon VPC-enabled Lambda function's requirements. For more information, see VPC and Subnet Sizing.

KMSAccessDeniedException

Check your Lambda function's AWS Identity and Access Management (AWS IAM) permissions as well as your AWS Key Management Service (AWS KMS) key policies.

If you're using a custom key policy for the customer master key (CMK), the IAM policy for your Lambda function's execution role must allow the action kms:Decrypt. If you're using the default key policy, then your Lambda execution role already has sufficient permissions for AWS KMS access.

Also, the IAM user that creates and updates the Lambda function must have permission to use the CMK.

For more information, see Using Key Policies in AWS KMS.

KMSDisabledException

Verify that the CMK is enabled. For more information, see Enabling and Disabling Keys.

KMSInvalidStateException

Your CMK is in an invalid state for AWS KMS Decrypt API requests. Verify that the CMK is enabled.

For more information, see How Key State Affects Use of a Customer Master Key.

KMSNotFoundException

The CMK specified in your request must be in the same AWS Region and account as your Lambda function. If the Region is different, use another CMK (or create a new CMK) in the same Region.

InvalidRuntimeException

Configure your Lambda function to use the correct Lambda runtime for your function code.

InvalidZipFileException

Check the permissions on your Lambda deployment package. For more information, see How do I troubleshoot Lambda "permission denied" or "unable to import module" errors when uploading a deployment package?

Also, confirm that you created the deployment package file correctly. For more information, see Creating a Deployment Package.

ServiceException

On rare occasions, the Lambda service itself can encounter an internal error. If you get a 500 error, check the AWS Service Health Dashboard to determine if Lambda is unavailable. For more information, see Is AWS down?

If Lambda is available, retry the request to invoke your Lambda function. If the issue persists, contact AWS Support from the AWS Support Center.


Did this article help you?

Anything we could improve?


Need more help?