Skip to main content

Lambda update function timeout

Last updated on

Lambda update function timeout is an AWS chaos fault that changes the configured timeout of a target Lambda function (FUNCTION_NAME in REGION) to FUNCTION_TIMEOUT seconds for TOTAL_CHAOS_DURATION seconds, then restores the original value. Invocations that previously completed in time may be terminated by Lambda with Task timed out after <N>.00 seconds.

Use this fault to test how a Lambda workload behaves when its time budget shrinks: whether callers see clean timeouts or partial state, whether retries amplify the failure, whether monitoring detects the rise in Errors and Duration p99, and whether downstream consumers degrade gracefully under timed-out invocations.

Run your first experiment

If you have not configured the chaos infrastructure yet, go to Quickstart to install the chaos infrastructure and run an experiment end to end.

Use cases

Run this fault when you want to answer concrete questions like:

  • Timeout exposure: When the timeout shrinks to FUNCTION_TIMEOUT, do tail invocations get killed or do they all still fit?
  • Caller behaviour: Do synchronous callers (API Gateway, ALB) honor their own timeouts cleanly when the function is killed?
  • Retry storms: Do asynchronous invokers retry timed-out invocations and amplify load?
  • Monitoring fidelity: Do CloudWatch alarms on Lambda Errors, Throttles, and end-to-end p99 fire within the SLA?
  • Capacity planning: Identify the lowest safe timeout setting for cost optimization without breaking the SLA.

Prerequisites

  • Kubernetes version: 1.21 or later for the chaos infrastructure cluster. Go to What's supported to confirm distribution support.
  • Target Lambda function: FUNCTION_NAME exists in REGION and is in the Active state.
  • Timeout value: FUNCTION_TIMEOUT is within Lambda's allowed range (1 to 900 seconds).
  • AWS credentials available: Either an AWS credentials file uploaded as a File Secret in Harness Secret Manager (see Authentication below) or an IAM role for service accounts (IRSA) bound to the chaos infrastructure service account.
  • IAM permissions granted: The credentials or role include the permissions listed below.

Supported environments

PlatformSupport status
AWS Lambda (zip and container image)Supported
Lambda with provisioned concurrencySupported
Lambda@EdgeNot supported
AWS regionsSupported in every commercial region; pass the region in REGION

Permissions required

The IAM principal that the chaos pod uses (the credentials mounted from the Harness Secret Manager file secret, the IRSA role on the chaos service account, or the role assumed via ASSUME_ROLE_ARN) needs the following AWS actions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": "*"
    }
  ]
}

Go to common policy for all AWS faults to use a single superset IAM policy across every AWS fault.

Authentication

The fault supports three credential delivery models. Pick one based on how your chaos infrastructure is deployed.

MethodWhen to use itHow to configure
Harness Secret Manager file secretChaos infrastructure runs outside EKS, or you want explicit static credentialsUpload the AWS credentials file as a File Secret in Harness Secret Manager and reference its identifier via AWS_AUTHENTICATION_SECRET
IAM Roles for Service Accounts (IRSA)Chaos infrastructure runs in EKS and uses an OIDC-bound service accountNo tunable changes; the chaos pod inherits the role automatically. Go to AWS IAM integration to set it up
Assume roleThe fault needs to act in a different account or with elevated permissionsSet ASSUME_ROLE_ARN to the role ARN; the chaos pod assumes the role on top of its base credentials

When using the Harness Secret Manager method, the contents of the File Secret should be the AWS credentials file in the standard ~/.aws/credentials format:

[default]
aws_access_key_id = REPLACE_WITH_ACCESS_KEY_ID
aws_secret_access_key = REPLACE_WITH_SECRET_ACCESS_KEY

Upload this file as a File Secret in Harness Secret Manager (Project Setup → Secrets → New File Secret), and pass the secret identifier in AWS_AUTHENTICATION_SECRET when configuring the fault.

Fault tunables

Configure the following fault parameters when you add Lambda update function timeout to an experiment in Chaos Studio. Defaults are shown for reference.

Required parameters

TunableDescriptionDefault
FUNCTION_NAMEName of the target Lambda function.(required)
REGIONAWS region where the Lambda function is deployed.(required)
FUNCTION_TIMEOUTTimeout (in seconds) to set on the function during the chaos window. Allowed range 1 to 900.(required)

Chaos parameters

TunableDescriptionDefault
TOTAL_CHAOS_DURATIONDuration of the fault in seconds.30
CHAOS_INTERVALDelay in seconds between successive iterations when running for more than one cycle.30
RAMP_TIMEWait period in seconds before and after the fault. Go to ramp time to read how it is applied.0

Authentication

TunableDescriptionDefault
ASSUME_ROLE_ARNARN of an IAM role to assume on top of the base credentials. Leave empty to use the base credentials directly.""
AWS_AUTHENTICATION_SECRETIdentifier of the File Secret in Harness Secret Manager that contains the AWS credentials file. Not required when using IRSA.""

Tunables that apply to every fault are documented in common tunables for all faults.

Fault execution in brief

Reads the current timeout on FUNCTION_NAME, updates it to FUNCTION_TIMEOUT seconds, waits for TOTAL_CHAOS_DURATION seconds, then restores the original timeout value.

Expected behavior during fault execution

  • New invocations of the function are killed after FUNCTION_TIMEOUT seconds with Task timed out after <N>.00 seconds.
  • Tail latency invocations that previously completed in time now fail; median invocations may still succeed.
  • CloudWatch Errors rises for timed-out invocations; Duration for timed-out invocations equals the new timeout.
  • Synchronous callers (API Gateway, ALB) see timeouts at the function layer; asynchronous invokers retry per their policy.
When the fault ends

The chaos pod restores the original timeout value. New invocations run with the previous timeout. Warm containers carrying the reduced timeout are recycled on the next cold start.

Signals to watch

Attach resilience probes to assert each layer:

  • Lambda errors: Use a Prometheus probe on aws_lambda_errors_sum and assert it rises during the chaos window.
  • Lambda duration: Use a Prometheus probe on the duration metric for the function.
  • End-to-end availability: Use an HTTP probe on the user-visible endpoint.

Verify the fault execution effect

While the experiment is running, confirm the timeout was reduced and then restored:

  1. Inspect function configuration.

    aws lambda get-function-configuration \
      --region <region> \
      --function-name <name> \
      --query Timeout

    The reported value should equal FUNCTION_TIMEOUT during the chaos window and return to the original value afterwards.

  2. Invoke a long-running path and inspect the response.

    aws lambda invoke --region <region> --function-name <name> \
      --payload <payload-that-runs-long> /tmp/out.json
    cat /tmp/out.json

    Long invocations should return Task timed out during the chaos window.

  3. Check CloudWatch metrics and logs.

    aws logs tail --region <region> /aws/lambda/<name> --since 5m \
      --filter-pattern "Task timed out"

    Timed-out invocations are clearly logged.

Recovery and cleanup

  • End of duration: The chaos pod restores the original timeout value.
  • Abort the experiment: Stopping the experiment from Chaos Studio also triggers the restore call.
  • Manual recovery: If the fault exits before restore, run aws lambda update-function-configuration --function-name <name> --timeout <N> --region <region> with the original value (recorded in the chaos pod logs).
  • Workload recovery: Warm containers carrying the reduced timeout are replaced on the next cold start; asynchronous invokers continue retrying timed-out invocations per their policy.

Limitations

  • Allowed range: FUNCTION_TIMEOUT must be between 1 and 900 seconds. Values outside this range are rejected by AWS.
  • In-flight invocations: Invocations that started before the update may complete or be killed depending on how AWS applies the new timeout to the warm pool.
  • Asynchronous retries: Async invokers (event source mappings, EventBridge) retry timed-out invocations; the resulting failure pattern depends on the retry policy.
  • Cold-start interaction: Updating the function configuration triggers cold starts during the chaos window.
  • Cross-region targeting: A single experiment targets one region (the value of REGION).

Troubleshooting

Lambda update function timeout fails with AccessDeniedException in Harness Chaos Engineering

The credentials supplied to the chaos pod do not have the required Lambda permissions. Confirm the IAM policy attached to the user, role, or IRSA service account includes lambda:GetFunction, lambda:GetFunctionConfiguration, and lambda:UpdateFunctionConfiguration.

FUNCTION_TIMEOUT value rejected

Lambda allows function timeout between 1 and 900 seconds. Re-run the experiment with a value inside this range.

No timed-out invocations observed

If every invocation comfortably fits inside FUNCTION_TIMEOUT, the change has no measurable effect. Pick a timeout value below the typical p95/p99 duration reported by CloudWatch, or run the experiment under load that exercises tail paths.

Timeout not restored after the chaos window

If the restore call failed, the function may stay at the reduced timeout. Run 'aws lambda update-function-configuration --function-name <name> --timeout <N> --region <region>' with the original value recorded in the chaos pod logs.