无法通过Lambda中的VPC端点访问S3 [英] Can not access S3 via VPC endpoint in Lambda

问题描述

我的VPC中具有Lambda函数，我想访问S3存储桶.

I have a Lambda function in my VPC, and I want to access S3 bucket.

我认为我已经正确设置了S3 VPC端点，

I have set S3 VPC endpoint correctly I think,

因为我在同一子网(Lambda函数子网)中创建了一个EC2实例，

because I created an EC2 instance in the same subnet(Lambda function subnet),

使用相同的安全组，

并运行Lambda函数代码的副本，

and run the copy of Lambda function code,

它可以正确显示S3文件内容.

但是当我在Lambda中运行代码时，它失败了.

But when I run the code in Lambda, it failed.

所以，我想知道在EC2中运行"和在Lambda中运行"之间有什么区别?

为什么在Lambda中运行它失败?

Why it failed when I run it in Lambda?

这是我的Lambda函数代码:

Here is my Lambda function code:

import boto3

s3 = boto3.client('s3', region_name='ap-northeast-1')

def lambda_handler(event, context):
    bucket = '*xxxxxx*'
    key = 's3-upload.json'
    try:
        response = s3.get_object(Bucket=bucket, Key=key)
        print('--------------------------------------')
        print(response)
        print('--------------------------------------')
        body = response['Body'].read()
        print(body)
        print('--------------------------------------')
        print("CONTENT TYPE: " + response['ContentType'])

    except Exception as e:
        print('Error getting object.')
        print(e)
        raise e

推荐答案

如果要允许AWS Lambda访问Amazon S3，请使用以下方法之一:

If you want to allow an AWS Lambda to access Amazon S3, use one of these methods:

• 请勿将功能与VPC相关联.然后访问是自动的.
• 如果该功能已附加到VPC中的公共子网，则将弹性IP 与VPC中出现的Lambda功能的ENI关联(不推荐)
• 如果该功能已附加到VPC中的专用子网，请在公用子网中启动 NAT网关并更新路由表.流量将通过NAT网关流到Internet.
• 在VPC中添加 Amazon S3 VPC端点，并更新路由表.流量将通过该流量而不是Internet网关.

• Do not associate the function to a VPC. Access is then automatic.
• If the function is attached to a public subnet in the VPC, associate an Elastic IP to the Lambda function's ENI that appears in the VPC (Not recommended)
• If the function is attached to a private subnet in the VPC, launch a NAT Gateway in the public subnet and update Route Tables. Traffic will flow to the Internet via the NAT Gateway.
• Add an Amazon S3 VPC Endpoint in the VPC and update Route Tables. Traffic will flow through that instead of the Internet Gateway.

这篇关于无法通过Lambda中的VPC端点访问S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！