从Aurora RDS存储过程权限问题调用AWS Lambda [英] Call AWS Lambda from Aurora RDS Stored Procedure Permissions Issue

问题描述

我在AWS中创建了一些Lambda，并创建了Aurora RDS(公开可用).我无法执行lambda(通过调用mysql.lambda_async ).

当我尝试得到错误 ERROR 1873:1873:Lambda API返回错误:缺少凭据:无法实例化Lambda Client .

我尝试附加一个名为aurora-lambdas的IAM角色，在该角色中，我设置了对RDS和Lambdas的完全访问权限以及这些服务之间的可信任关系，但是在尝试了各种配置之后，仍然遇到了问题.

有人从RDS成功执行了AWS Lambda吗?谢谢:)

解决方案

参数键 aws_default_lambda_role 必须具有角色的完整ARN值路径，该路径既已附加到Aurora群集，又具有正确的与其关联的lambda访问策略.

首先，启用 IAM DB Authentication Enabled (启用 IAM DB身份验证已启用)，这意味着可以通过AWS IAM用户和角色来管理您的数据库用户凭证.

创建策略，创建角色，将策略附加到角色以及将角色关联到Aurora群集的步骤如下.

1..

8..选择参数组族 aurora5.6

9..选择类型 数据库集群参数组

10.在文本框中输入所需的配置 Group Name 作为 someName56

11..然后创建并编辑参数

12..查找参数名称 aws_default_lambda_role 并键入在上面的步骤4中创建的IAM角色的ARN.

简要说明

重要的是要记住，由于涉及的抽象层不同，IAM用户，角色和策略是分开的.可以将策略附加到用户或角色.但不能单独与运行中的实例(如EC2或RDS)关联.要将S3或Lambda访问权限附加到本地计算机上编写的代码，必须使用带有适当策略的IAM用户.要附加对Amazon内部服务的访问权限，则必须将IAM角色分配给，例如，使用 CALL MySQL.lambda_async 过程允许RDS Aurora Cluster DB触发Lambda.由于RDS实例在AWS内部，因此它具有触发lambda函数的作用，因此必须为其分配IAM角色.这个想法是给予最小的访问权限(除非需要更多访问权限)，以及如何在不直接访问RDS虚拟机的情况下更改配置文件.因此，需要更改参数组值，以便在DB软件中进行某些配置更改，而不必直接连接到虚拟机.它的设计比使用SSH或直接连接软件的传统方法更容易.由于抽象层(即AWS控制台)可以跟踪用户活动，因此哪个用户/服务实施了Lambda的动作来触发以帮助查明问题，因此，这也可以提高问责制.

注意

我不是专家，所以请纠正我的解释，因为我对AWS尚不完全了解，因此我在执行步骤或解释时可能会犯错误.但这就是我解决特定问题的方法.

编辑 :(发布后几分钟)

我的特定问题:

当我直接用SQL进行调用时，它给了我以下错误输出，使我进入了概述的解决问题的步骤.

mysql> CALL mysql.lambda_async('arn:aws:lambda:us-region-1:02020202020:function:FuncSomeNameLambdaFunc'，CONCAT('{"subject":'，'subject contents'，'"，"message":'，'邮件内容'，'"}'))));

错误1873(HY000):Lambda API返回错误:缺少指定的IAM角色(aws_default_lambda_role)

I've created a few Lambdas in AWS, and an Aurora RDS (publicly available). I couldn't execute lambdas (via call mysql.lambda_async).

When I tried that I got the error ERROR 1873: 1873: Lambda API returned error: Missing Credentials: Cannot instantiate Lambda Client.

I tried attaching an IAM role called aurora-lambdas where I set full access to RDS and Lambdas and a trusted relationship between those services, but after trying various configurations I still get the issue.

Do someone have successfully executed an AWS Lambda from RDS? Thanks :)

解决方案

The parameter key aws_default_lambda_role needs to have the full ARN value path of the role that is both attached to the Aurora Cluster and has the correct lambda access policy associated with it.

Firstly, Enable IAM DB Authentication Enabled which means your database user credentials can be managed through AWS IAM users and roles.

The steps to create the policy, create the role, attach the policy to the role, associate the role to the Aurora Cluster are as follows.

1. Create an IAM Policy to Access AWS Lambda Resources.

2. Create IAM Role to Allow Amazon Aurora to Access AWS Services with Policy attached.

3. Associate IAM Role with an Amazon Aurora MySQL DB Cluster that needs to use Lambda.

4. Set the cluster-level parameter key for the related AWS service to the ARN for the associated IAM role. Use step 10 from weblink 3 given above. Step 10 describes aws_default_s3_role, but we just need to look for aws_default_lambda_role.

5. Go to RDS Dashboard

6. Click Parameter Groups

7. Click Create Parameter Group

8. Select Parameter Group Family aurora5.6

9. Select Type DB Cluster Parameter Group

10. Type in text box desired configuration Group Name as someName56

11. Create and then Edit Parameters

12. Look for Parameter Name aws_default_lambda_role and type in the ARN for the IAM Role created in step 4 above.

Brief Explanation

It is important to remember that because of the abstraction layers involved, there are separations of IAM users, roles, and policies. A Policy can be attached to a user or role. but cannot be associated by itself with running instances like EC2 or RDS. To attach S3 or Lambda access to Code written on your local computer an IAM User with the appropriate policy attached must be used. To attach access to Amazon internal services then an IAM Role must be assigned to, for example, allow RDS Aurora Cluster DB trigger Lambda with a CALL MySQL.lambda_async Procedure. The RDS instance has the role of triggering a lambda function since it is internal to AWS it, therefore, must be assigned an IAM Role. The idea is to give minimum access unless more is needed, and how to change configuration files without having direct access to the RDS virtual machine. Therefore, Parameter Group Values need to be changed in order to make some of the configuration changes in the DB software without having to directly connect to the virtual machine. It is designed to be easier than the traditional method of using SSH or direct connection software. This also allows for greater accountability since the abstraction layer, i.e., the AWS console can track user activity so which user/service committed the action of Lambda to trigger to help pinpoint issues.

Note

I'm not an expert, so please correct my explanation as I don't have a full grasp on AWS so I could have made mistakes in either my steps or explanation. But this is what I did to resolve my particular issue.

EDIT: (Minutes after posting)

My Specific Issue:

When I made a direct call in SQL, it gave me the following error output which led me to the steps I outlined to resolve the issue.

mysql> CALL mysql.lambda_async('arn:aws:lambda:us-region-1:02020202020:function:FuncSomeNameLambdaFunc', CONCAT('{ "subject" : "', 'subject contents', '", "message" : "', 'Message Contents', '" }') );

ERROR 1873 (HY000): Lambda API returned error: Missing designated IAM role (aws_default_lambda_role)

这篇关于从Aurora RDS存储过程权限问题调用AWS Lambda的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！