在VPC中从Lambda访问AWS S3 [英] Access AWS S3 from Lambda within VPC

问题描述

总体而言，我对在VPC中使用AWS Lambda感到非常困惑.问题是Lambda在尝试访问S3存储桶时超时.解决方案似乎是一个VPC端点.

Overall, I'm pretty confused by using AWS Lambda within a VPC. The problem is Lambda is timing out while trying to access an S3 bucket. The solution seems to be a VPC Endpoint.

我已将Lambda函数添加到VPC，以便它可以访问RDS托管的数据库(下面的代码中未显示，但具有功能).但是，现在我无法访问S3，并且任何尝试都将超时.

I've added the Lambda function to a VPC so it can access an RDS hosted database (not shown in the code below, but functional). However, now I can't access S3 and any attempt to do so times out.

我尝试创建VPC S3端点，但是没有任何改变.

I tried creating a VPC S3 Endpoint, but nothing has changed.

VPC配置

每当我第一次创建EC2实例时，我都使用默认情况下创建的简单VPC.它有四个子网，所有子网都是默认创建的.

I'm using a simple VPC created by default whenever I first made an EC2 instance. It has four subnets, all created by default.

VPC路由表

_Destination - Target - Status - Propagated_

172.31.0.0/16 - local - Active - No

pl-63a5400a (com.amazonaws.us-east-1.s3) - vpce-b44c8bdd - Active - No

0.0.0.0/0 - igw-325e6a56 - Active - No

简单的S3下载Lambda:

import boto3
import pymysql
from StringIO import StringIO

def lambda_handler(event, context):
    s3Obj = StringIO()

    return boto3.resource('s3').Bucket('marineharvester').download_fileobj('Holding - Midsummer/sample', s3Obj)

推荐答案

使用boto3，默认情况下，S3网址是虚拟，然后需要将Internet访问解析为特定于区域的网址.这会导致Lambda函数挂起，直到超时.

With boto3, the S3 urls are virtual by default, which then require internet access to be resolved to region specific urls. This causes the hanging of the Lambda function until timeout.

要解决此问题，需要在创建客户端时使用Config对象，该对象告诉boto3创建基于 path 的S3 url:

To resolve this requires use of a Config object when creating the client, which tells boto3 to create path based S3 urls instead:

import boto3 
import botocore

client = boto3.client('s3', 'ap-southeast-2', config=botocore.config.Config(s3={'addressing_style':'path'}))

请注意，呼叫中的区域必须是您将lambda和VPC端点部署到的区域.

Note that the region in the call must be the region to which you are deploying the lambda and VPC Endpoint.

然后，您将可以在Lambda的安全组中为VPC端点使用pl-xxxxxx前缀列表，并且仍然可以访问S3.

Then you will be able to use the pl-xxxxxx prefix list for the VPC Endpoint within the Lambda's security group, and still access S3.

这是一个有效的CloudFormation脚本对此进行了演示.它创建一个S3存储桶，一个Lambda(将记录放入存储桶)，该Lambda与仅包含专用子网和VPC端点以及必需的IAM角色的VPC相关联.

Here is a working CloudFormation script that demonstrates this. It creates an S3 bucket, a lambda (that puts records into the bucket) associated to a VPC containing only private subnets and the VPC Endpoint, and necessary IAM roles.

这篇关于在VPC中从Lambda访问AWS S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！