Lambda 使用 python 3.6 &连接到 Redshift 时 VPC 中的 boto3 超时 [英] Lambda using python 3.6 & boto3 in VPC times out when connecting to Redshift

问题描述

我正在尝试使用 python3.6 中的 boto3 来使用 get_cluster_credentials API 连接到我的 Redshift 集群.将 Lambda 函数添​​加到 VPC 时，以下代码在 100% 的时间内超时.当 Lambda 未添加到 VPC 时，它可以正常运行.

I am trying to use boto3 in python3.6 to connect to my Redshift cluster using the get_cluster_credentials API. The following code times out 100% of the time when the Lambda function is added to the VPC. It runs without issue when Lambda is not added to the VPC.

我不知道 get_cluster_credentials 是使用公共 IP 还是私有 IP 来访问 Redshift.我也不知道是否有办法强制它使用其中一个.

I can't figure out if get_cluster_credentials uses the public or private IP to access Redshift. I also can't figure out if there is a way to force it to use one or the other.

import json
import boto3

def lambda_handler(event, context):
    redshiftClient = boto3.client('redshift', region_name='us-east-1')
    cluster_creds = redshiftClient.get_cluster_credentials( DbUser='awsuser',
                                                            DbName='dev',
                                                            ClusterIdentifier='redshift-cluster-1',
                                                            AutoCreate=False)
    print(cluster_creds)

    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }

我的配置很简单.NACL 允许所有端口和协议上的所有内容 (0.0.0.0/0) 通过.我的 SG 也做同样的事情.

My configuration is very simple. The NACL lets everything (0.0.0.0/0) through on all ports and protocols. MY SG does the same thing.

我定义了 1 个互联网网关:igw-0d1e6dcbfdea792b2

I have 1 internet gateway defined: igw-0d1e6dcbfdea792b2

我在 VPC 中有 1 个子网和 1 个路由表.路由表有一个规则映射0.0.0.0/0 --> igw-0d1e6dcbfdea792b2.

I have 1 subnet and 1 routing table in the VPC. The routing table has one rule to map 0.0.0.0/0 --> igw-0d1e6dcbfdea792b2.

我可以使用 SQL Workbench/J 从 AWS 外部连接到集群，没有问题.

I am able to connect from outside AWS to the cluster using SQL Workbench/J without issue.

我查看了许多帖子、主题和文档，但无法弄清楚发生了什么:

I have looked at many posts, threads and documents, but cannot figure out what is happening:

AWS Lambda 连接到 RedShift 超时

将 Lambda 连接到不同可用区中的 Redshift

https://github.com/awslabs/aws-lambda-redshift-loader/issues/86

从访问 RedshiftLambda - 避免 0.0.0.0/0 安全组

https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader/

将 AWS Lambda 连接到 Redshift - 超时后60 秒

请帮忙.

非常感谢.

推荐答案

根据 您的其他问题，当 AWSLambda 函数被添加到 VPC，它不会收到公共 IP 地址.因此，如果该函数希望访问 Internet(在这种情况下是进行 get_cluster_credentials() 调用)，您应该:

As per your other question, when an AWS Lambda function is added to a VPC, it does not receive a Public IP address. Therefore, if the function wishes to access the Internet (in this case to make the get_cluster_credentials() call), you should:

• 在公共子网中添加 NAT 网关
• 将 Lambda 函数附加到私有子网
• 在私有子网上设置路由以使用 0.0.0.0/0
的 NAT 网关

• Add a NAT Gateway in a Public subnet
• Attach the Lambda function to a Private subnet
• Set routing on the private subnet to use the NAT Gateway for 0.0.0.0/0

如果您只有一个子网，它将不起作用，因为 Lambda 函数将无法访问 NAT 网关.

It will not work if you have only one subnet, since the Lambda function will not be able to access the NAT Gateway.

我也成功地将弹性 IP 地址手动分配给 Lambda 函数的 ENI(而不是使用 NAT 网关)，但这不会扩展，因为 Lambda 可能会部署额外的容器，因此会部署额外的 ENI.如果函数很少运行并且从不并发运行，这可能就足够了.

I have also had success manually assigning an Elastic IP address to the Lambda function's ENI (instead of using a NAT Gateway), but this will not scale because Lambda might deploy additional containers and therefore additional ENIs. It might be sufficient if the function runs rarely and never concurrently.

这篇关于Lambda 使用 python 3.6 &连接到 Redshift 时 VPC 中的 boto3 超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！