启用VPC后,无法从Lambda/Python/Boto3连接到S3 [英] Unable to connect to S3 from Lambda/Python/Boto3 when VPC is enabled
问题描述
我在lambda中有一个非常简单的python函数,如果我禁用了VPC,则运行良好.
I have a very simple python function in a lambda which runs fine if I leave VPC disabled.
import json
import boto3
import botocore
def lambda_handler(event, context):
s3 = boto3.client('s3', 'us-east-1', config=botocore.config.Config(s3={'addressing_style':'path'}))
keys = []
resp = s3.list_objects_v2(Bucket='[BUCKET_NAME]')
for obj in resp['Contents']:
print(obj['Key'])
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
启用VPC后,S3连接持续超时.
When VPC is enabled the S3 connection continually times out.
我浏览了许多文档,教程,论坛主题和堆栈溢出帖子,但没有一个对我有帮助.
I have gone through many documents, tutorials, forum threads and stack overflow postings, but none of them have helped me.
我的网络ACL的端口80、443和5439(Redshift)具有0.0.0.0/0映射.
My network ACL has 0.0.0.0/0 mappings for ports 80, 443 and 5439 (Redshift).
我唯一的安全组具有端口80、443和5439(Redshift)的0.0.0.0/0映射.
My one and only security group has 0.0.0.0/0 mappings for ports 80, 443 and 5439 (Redshift).
我只配置了一个VPC.
I have only one VPC configured.
我配置了1个NAT网关.
I have 1 NAT Gateway configured.
我配置了1个Internet网关.
I have 1 Internet Gateway configured.
我在VPC中有6个子网:
I have 6 subnets in the VPC:
- 子网A和B指向主路由表.
- 子网C和D指向"lambda_rt_table_gateway"路由表.
- 子网E和F指向"lambda_rt_table_nat"路由表.
我在VPC中有2个端点:
I have 2 endpoints in the VPC:
- 端点VPCE-A是为服务'com.amazonaws.us-east-1.s3'定义的,并映射到所有3个路由表.
- 端点VPCE-B是为服务'com.amazonaws.us-east-1.dynamodb'定义的,并映射到所有3个路由表.
最后,我有3个路由表:
Finally, I have 3 Route Tables:
-
主路由表具有以下路由:
The main route table has the following routes:
- 172.31.0.0/1->本地
- pl-02cd2c6b(com.amazonaws.us-east-1.dynamodb,52.94.0.0/22,52.119.224.0/20)-> vpce-07a6eb423bbbea151
- pl-63a5400a(com.amazonaws.us-east-1.s3,54.231.0.0/17,52.216.0.0/15)-> vpce-0fd10c890bb176b5a
- 0.0.0.0/0-> igw-04b6aa7c
"lambda_rt_table_gateway"路由表具有与主路由相同的路由.
The 'lambda_rt_table_gateway' route table has identical routes as the main.
- 0.0.0.0/0-> nat-0a5c0a76e3c12c42f
我很确定这是我所缺少的简单东西.请帮忙.
I am pretty sure it is something simple I'm missing. Please help.
非常感谢.
推荐答案
您已经配置了很多东西!我不确定要解决此特定情况的一部分,还是不确定您是否对NAT网关,VPC端点等有其他需求.
You have a lot of stuff configured! I'm not sure how much of it is part of wanting to get this specific situation fixed, or whether you have other needs for things like the NAT Gateway, VPC Endpoints, etc.
使连接VPC的Lambda函数能够调出Internet(例如,对Amazon S3进行API调用)的最简单设置是:
The simplest setup to enable a VPC-connected Lambda function to call out to the Internet (eg to make an API call to Amazon S3) would be:
- 将 NAT网关添加到公共子网
- 将Lambda函数附加到私有子网
- 在专用子网上设置路由,以将NAT网关用于
0.0.0.0/0
- Add a NAT Gateway to a Public subnet
- Attach the Lambda function to a Private subnet
- Set routing on the private subnet to use the NAT Gateway for
0.0.0.0/0
这足以使连接VPC的Lambda函数到达Internet.
That is sufficient for VPC-attached Lambda functions to reach the Internet.
这篇关于启用VPC后,无法从Lambda/Python/Boto3连接到S3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
