https://ferkakta.dev/tags/debugging/Recent content in Debugging on ferkakta.devHugoen-USCopyright fizz.Wed, 11 Mar 2026 16:00:00 -0400https://ferkakta.dev/lambda-timeout-forensic-arc/Wed, 11 Mar 2026 16:00:00 -0400https://ferkakta.dev/lambda-timeout-forensic-arc/<p>The ticket said the Lambda tracer was timing out. The Slack thread said <code>ConnectTimeoutError</code> to an internal tracing endpoint. Four Lambda functions had been moved into a VPC the day before so they could reach <code>tracer.internal.ferkakta.net</code> — an internal ALB at <code>10.x.x.x</code>, only reachable from inside the VPC. The migration was verified, the API returned success, the ticket should not have existed.</p> <p>The people who built this system had moved on to other projects. The people using it were in a different timezone. There was no architecture doc, no runbook, no one to pair with. I had CloudWatch, a kubectl context, and AWS credentials.</p>https://ferkakta.dev/iam-eventual-consistency-is-four-seconds/Thu, 26 Feb 2026 09:00:00 -0600https://ferkakta.dev/iam-eventual-consistency-is-four-seconds/<p>I changed an IAM inline policy on a role — added an <code>sts:AssumeRole</code> statement so a pod could assume a cross-account SES role. Ran <code>terraform apply</code>. Checked the policy with <code>get-role-policy</code>. The old policy came back. No new statement.</p> <p>I said &ldquo;propagation delay&rdquo; and moved on to other work.</p> <p>Twenty minutes later I checked again. Same old policy. That&rsquo;s not propagation.</p> <h2 id="what-eventual-consistency-actually-means">What eventual consistency actually means</h2> <p>AWS IAM uses a distributed computing model. Changes to policies, roles, and credentials take time to replicate across endpoints. AWS documents this explicitly and recommends not including IAM changes in critical code paths.</p>