VPC上的AWS Lambda Ruby-Seahorse :: Client :: NetworkingError [英] AWS Lambda Ruby on VPC - Seahorse::Client::NetworkingError

问题描述

将Ruby Lambda函数添加到VPC并附加了相关的SecurityGroups之后，我在从aws SSM参数存储中检索配置信息的SSM凭证检索中遇到问题，并且在超时后遇到了这种奇怪的网络错误.

After adding my Ruby Lambda function to a VPC and attaching the relevant SecurityGroups, I have problems retrieving the SSM credentials for pulling config from aws SSM Parameter Store and I bump into this weird network error after timeout.

当尝试通过ssm.get_parameters_by_path检索SSM凭证时会发生这种情况，但是跟踪感觉在其他任何AWS调用上都会发生这种情况.

This happens when trying to retrieve SSM credentials via ssm.get_parameters_by_path but the trace feels like this would have happened on any other AWS call.

{
  "errorMessage": "execution expired",
  "errorType": "Function<Seahorse::Client::NetworkingError>",
  "stackTrace": [
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `initialize'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `open'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `block in connect'",
    "/var/lang/lib/ruby/2.5.0/timeout.rb:103:in `timeout'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:935:in `connect'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:920:in `do_start'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:915:in `start'",
    "/var/lang/lib/ruby/2.5.0/delegate.rb:83:in `method_missing'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/connection_pool.rb:297:in `start_session'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/connection_pool.rb:96:in `session_for'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:121:in `session'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:73:in `transmit'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:47:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/content_length.rb:12:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/json/error_handler.rb:8:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/signature_v4.rb:66:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:171:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/json/handler.rb:11:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/user_agent.rb:13:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/endpoint_pattern.rb:28:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:78:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/endpoint.rb:45:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/param_validator.rb:24:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/response_target.rb:23:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/request.rb:70:in `send_request'",
    "/var/runtime/gems/aws-sdk-ssm-1.34.0/lib/aws-sdk-ssm/client.rb:4495:in `get_parameters_by_path'",

如果我从VPC中删除了该功能，则一切运行正常.什么地方出了错 ? (请注意，我已经将VPC权限添加到了我的lambda角色中，以及SSM访问权限)

If I remove the function from the VPC everything runs fine. What went wrong ? (Note that I have added the VPC permission to my lambda role, as well as SSM access)

我的SSM客户端以此方式初始化

My SSM client is initialized this way

def ssm
  @ssm ||= Aws::SSM::Client.new
end

推荐答案

EDIT :我误解了OP的问题，因此我进行了相应的编辑，试图解释其原因.可能会失败.

EDIT: I had misunderstood the OP's question, so I have edited accordingly trying to explain why it may be failing.

当Lambda需要从VPC内访问其他AWS服务时，您的功能将需要访问VPC和Internet.这可以通过同时连接公共子网和私有子网来实现.公共子网是连接了Internet网关的子网，因此可以访问公共互联网，而私有子网是通过NAT网关访问的子网，仅在AWS VPC内部可见.

When your Lambda needs to access other AWS Services from within a VPC, your function will need access to your VPC AND to the Internet. This is achievable by attaching both public AND private subnets. The public subnet is the one which has an internet gateway attached to it and therefore can access the public internet and the private subnet is the one that is accessed through a NAT Gateway, visible only inside the AWS VPC.

此外，请记住，安全组必须允许从0.0.0.0/0开始的入站TCP连接(或仅将要允许的主机列入白名单).

Also, keep in mind that your Security Groups must allow inbound TCP connections from 0.0.0.0/0 (or just whitelist the host you want to allow).

如果可以的话，请尽量避免将Lambda函数放在VPC内，因为它会大大增加冷启动次数(有时会在请求之外增加10秒，这将导致大多数Lambda函数无法正常运行).超时(如果配置不正确)

If you can, avoid putting your Lambda Function inside a VPC as much as you can, since it can increase the cold starts significantly (sometimes it adds 10 seconds on top of your request, which will cause most of your Lambda functions to timeout if not configured properly)

希望这会有所帮助！

EDIT 2 :我将尝试通过带有两个子网(公共子网和私有子网)的向导通过向导创建新VPC的过程，以允许入站规则在SG上，最后将SN和SG附加到Lambda函数

EDIT 2: I will try to walk you through the process of creating a new VPC through the wizard with two subnets (public and private), allowing the inbound rules on the SG and finally attaching the SNs and the SG to the Lambda function

请事先创建一个弹性IP

Please create an Elastic IP beforehand

通过控制台，单击VPC，然后单击启动VPC向导"

Through the console, click on VPC, then click on Launch VPC Wizard

选择具有公用和专用子网的VPC

Select VPC with Public and Private Subnets

保留默认配置并添加刚刚创建的弹性IP

Leave the default config and add the Elastic IP you've just created

创建VPC后，您现在应该拥有一个公共子网和一个私有子网

Once your VPC is created, you should now have a public and a private subnet

默认情况下，您的SG已接受所有流量

By default, your SG will already be accepting All Traffic

最后，转到Lambda功能，然后在VPC部分下，添加子网和安全组.

Finally, go to your Lambda function and, under the VPC section, add your Subnets and the Security Group.

然后voilá，您的Lambda现在应该可以访问Internet(或其他AWS服务)

And voilá, your Lambda should now be able to access the Internet (or other AWS Services)

这篇关于VPC上的AWS Lambda Ruby-Seahorse :: Client :: NetworkingError的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！