Token refresh issue with Snapstart and vault-lambda-extension layer

[NithyaAhila]

Hi, We are using the arn:aws:lambda:${aws:region}:634166935893:layer:vault-lambda-extension:13 layer for connecting to our Enterprise vault. For improving the cold start we enabled snapstart on the published versions. Seems the extension layer is not refreshing the token after its expiry or after few hours and we are getting Forbidden errors. ERROR RouteExecutor:444 - Unexpected error occurred: Client 'http://127.0.0.1:8200/v1/data': Forbidden The initial ttl value was set to 1d as well tried with 1h. Still the issue persists.

The snapstart takes the snapshot of the Init phase environment and caches it and is reused every time when there is a new instance getting spinned up. We are not sure if the vault layer is initialising in the init phase and is not able to refresh the connections post sometime. Could you help fixing the issue.

Thanks, Nithya

[samoilenkobv]

are there any updates on this? We faced a similar issue.

[jimifredjr]

Hey we're facing the same issue. When we enable snapstart our lambda can't access the vault but if snapstart is disabled the lambda can access the vault. We were wondering if the vault token isn't getting refreshed when snapstart is enabled