在Lambda上调用自定义Lambda图层函数 [英] Calling Custom Lambda Layers Functions on Lambda

问题描述

我正在尝试实现自定义AWS Lambda图层，以便将其与我的函数一起使用.
它应该是一个简单的层，可以从ssm获取一些参数并初始化puresec的 function_shield 以保护我的服务.
该代码看起来更像这样:

I'm trying to implement a custom AWS Lambda layer in order to use it with my functions.
It should be a simple layer that gets some parameter from ssm and initialize puresec's function_shield for protection of my services.
The code looks more less like this:

import os
import boto3
import function_shield as shield


STAGE = os.environ['stage']
REGION = os.environ['region']
PARAMETERS_PREFIX = os.environ['parametersPrefix']


class ParameterNotFoundException(Exception):
    pass


session = boto3.session.Session(region_name=REGION)
ssm = session.client('ssm')

# function_shield config
parameter_path = f"/{PARAMETERS_PREFIX}/{STAGE}/functionShieldToken"

try:
    shield_token = ssm.get_parameter(
        Name=parameter_path,
        WithDecryption=True,
    )['Parameter']['Value']

except Exception:
    raise ParameterNotFoundException(f'Parameter {parameter_path} not found.')


policy = {
    "outbound_connectivity": "block",
    "read_write_tmp": "block",
    "create_child_process": "block",
    "read_handler": "block"
}


def configure(p):
    """
    update function_shield policy
    :param p: policy dict
    :return: null
    """
    policy.update(p)
    shield.configure({"policy": policy, "disable_analytics": True, "token": shield_token})


configure(policy)

我希望能够将此层链接到我的函数，以便在运行时对其进行保护.
我正在使用无服务器框架，并且好像我的示例功能一样，我的层也已部署好.此外，AWS控制台向我显示了该层已在我的函数中链接.

I want to be able to link this layer to my functions for it to be protected in runtime.
I'm using the serverless framework, and it seems like my layer was deployed just fine, as it was with my example function. Also, the AWS console shows me that the layer was linked in my function.

我将图层命名为"shield"，并尝试在测试函数中通过其名称将其导入:

I named my layer 'shield' and tried to import it by its name on my test function:

import os
import shield


def test(event, context):
    shield.configure(policy)  # this should be reusable for easy tweaking whenever I need to give more or less permissions to my lambda code.
    os.system('ls')

    return {
        'rep': 'ok'
    }

理想情况下，我应该在CloudWatch上看到并出错，告诉我 function_shield 阻止了 child_process 运行，但是我却收到一条错误消息，告诉我没有'屏蔽"在我的运行时声明.

Ideally, I should get and error on CloudWatch telling me that function_shield has prevented a child_process from running, however I instead receive an error telling me that there is no 'shield' declared on my runtime.

我想念什么?除了numpy，scipy，binaries等之外，我找不到用于层的自定义代码示例.

What am I missing? I couldn't find any custom code examples being used for layers apart from numpy, scipy, binaries, etc.

对不起，我很愚蠢...
谢谢您的好意！

I'm sorry for my stupidity...
Thanks for your kindness!

推荐答案

您还需要在图层 shield.py 中命名该文件，以便可以在其中进行 import 导入.Python.请注意，图层本身的命名方式无关紧要.这是AWS世界中的配置，对Python世界没有影响.

You also need to name the file in your layer shield.py so that it's importable in Python. Note it does not matter how the layer itself is named. That's a configuration in the AWS world and has no effect on the Python world.

起作用的是图层档案的结构.您需要将要导入的文件放置到 python 目录中，将其压缩并使用生成的归档文件作为层(我在为无服务器框架做此工作)你).

What does have an effect is the structure of the layer archive. You need to place the files you want to import into a python directory, zip it and use that resulting archive as a layer (I'm pressuming serverless framework is doing this for you).

在Lambda执行环境中，图层存档被提取到/opt 中，但是在 PYTHONPATH /opt/python >.因此，需要包装" python目录.

In the Lambda execution environment, the layer archive gets extracted into /opt, but it's only /opt/python that's declared in the PYTHONPATH. Hence the need for the "wrapper" python directory.

这篇关于在Lambda上调用自定义Lambda图层函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！