如何将s3凭证传递给AWS上的Python lambda函数? [英] How should I pass my s3 credentials to Python lambda function on AWS?
问题描述
我想用我用Python编写的lambda函数将文件写入S3.但是我在努力传递我的S3 ID和密钥.
I'd like to write a file to S3 from my lambda function written in Python. But I’m struggling to pass my S3 ID and Key.
在将本地Python环境变量AWS_SHARED_CREDENTIALS_FILE和AWS_CONFIG_FILE设置为指向我使用AWS CLI创建的本地文件之后,以下内容将在我的本地计算机上工作.
The following works on my local machine after I set my local Python environment variables AWS_SHARED_CREDENTIALS_FILE and AWS_CONFIG_FILE to point to the local files I created with the AWS CLI.
session = boto3.session.Session(region_name='us-east-2')
s3 = session.client('s3',
config=boto3.session.Config(signature_version='s3v4'))
以下在Lambda上有效,我在其中手动编写了ID和密钥(在这里使用***):
And the following works on Lambda where I hand code my ID and Key (using *** here):
AWS_ACCESS_KEY_ID = '***'
AWS_SECRET_ACCESS_KEY = '***'
session = boto3.session.Session(region_name='us-east-2')
s3 = session.client('s3',
config=boto3.session.Config(signature_version='s3v4'),
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
但是我理解阅读最佳实践.所以我尝试:
But I understand this is insecure after reading best practices from Amazon. So I try:
AWS_ACCESS_KEY_ID = os.environ['AWS_ACCESS_KEY_ID']
AWS_SECRET_ACCESS_KEY = os.environ['AWS_SECRET_ACCESS_KEY']
session = boto3.session.Session(region_name='us-east-2')
s3 = session.client('s3',
config=boto3.session.Config(signature_version='s3v4'),
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
但是我得到一个错误:您提供的AWS Access Key ID在我们的记录中不存在." 我也尝试在Lambda控制台中定义这些变量,但是我得到了: "Lambda无法配置您的环境变量,因为您提供的环境变量包含保留键."
But I get an error: "The AWS Access Key Id you provided does not exist in our records." I also tried to define these variables in the Lambda console, but I then I get: "Lambda was unable to configure your environment variables because the environment variables you have provided contains reserved keys."
我完全需要传递ID或密钥令我有些惊讶,因为我认为我编写Lambda函数的帐户也有权写入S3帐户(为此,我的手工代码的密钥和机密来自IAM)同一帐户).通过阅读以下文章,我有同样的感触: AWS Lambda函数写入S3
I am a little surprised I need to pass an ID or Key at all since I believe my account for authoring the Lambda function also has permission to write to the S3 account (the key and secret I hand code are from IAM for this same account). I got the same sense from reading the following post: AWS Lambda function write to S3
推荐答案
在另一个资源中使用一个AWS资源时,您无需使用AWS访问密钥.只需允许Lambda函数访问S3存储桶以及您要执行的任何操作即可(例如PutObject).如果确保Lambda函数接收到具有允许这种访问权限的策略的角色,则SDK会将所有身份验证从您手中移开.
You never need to use AWS access keys when you are using one AWS resource within another. Just allow the Lambda function to access the S3 bucket and any actions that you want to take (e.g. PutObject). If you make sure the Lambda function receives the role with the policy to allow for that kind of access, the SDK takes all authentication out of your hands.
如果您确实需要使用Lambda中的任何秘密密钥,例如的第三方系统或AWS RDS数据库(非Aurora),则可能需要查看AWS KMS.这可以与Lambda一起很好地工作.但是再说一遍:在Lambda中使用S3应该在IAM中使用正确的角色/策略来处理.
If you do need to use any secrets keys in Lambda, e.g. of 3rd party systems or an AWS RDS database (non-Aurora), you may want to have a look at AWS KMS. This works nicely together with Lambda. But again: using S3 in Lambda should be handled with the right role/policy in IAM.
这篇关于如何将s3凭证传递给AWS上的Python lambda函数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
