从 Aurora RDS 存储过程权限问题调用 AWS Lambda [英] Call AWS Lambda from Aurora RDS Stored Procedure Permissions Issue

问题描述

我在 AWS 中创建了一些 Lambda，以及一个 Aurora RDS(公开可用).我无法执行 lambdas(通过 call mysql.lambda_async).

当我尝试时，我收到错误 ERROR 1873: 1873: Lambda API returned error: Missing Credentials: Cannot instanceiate Lambda Client.

我尝试附加一个名为 aurora-lambdas 的 IAM 角色，我在其中设置了对 RDS 和 Lambdas 的完全访问权限以及这些服务之间的信任关系，但在尝试了各种配置后，我仍然遇到问题.

是否有人从 RDS 成功执行了 AWS Lambda?谢谢:)

解决方案

参数键 aws_default_lambda_role 需要具有角色的完整 ARN 值路径，该角色既附加到 Aurora 集群，又具有与其关联的正确 lambda 访问策略.

首先，启用 IAM DB Authentication Enabled 这意味着您的数据库用户凭证可以通过 AWS IAM 用户和角色进行管理.

创建策略、创建角色、将策略附加到角色、将角色关联到 Aurora 集群的步骤如下.

1.

8.选择参数组族 aurora5.6

9. 选择类型 DB Cluster Parameter Group

10.在文本框中输入所需的配置组名为someName56

11.创建然后编辑参数

12. 查找参数名称 aws_default_lambda_role 并输入在上述步骤 4 中创建的 IAM 角色的 ARN.

简要说明

请务必记住，由于涉及到抽象层，因此 IAM 用户、角色和策略是分离的.策略可以附加到用户或角色.但不能单独与 EC2 或 RDS 等正在运行的实例相关联.要将 S3 或 Lambda 访问权限附加到本地计算机上编写的代码，必须使用附加了适当策略的 IAM 用户.要附加对 Amazon 内部服务的访问权限，则必须分配一个 IAM 角色，例如，使用 CALL MySQL.lambda_async 过程允许 RDS Aurora 集群数据库触发 Lambda.RDS 实例具有触发 lambda 函数的角色，因为它是 AWS 内部的，因此必须分配一个 IAM 角色.这个想法是提供最少的访问权限，除非需要更多，以及如何在不直接访问 RDS 虚拟机的情况下更改配置文件.因此，需要更改参数组值，以便在 DB 软件中进行一些配置更改，而无需直接连接到虚拟机.它旨在比使用 SSH 或直接连接软件的传统方法更容易.这也允许更大的责任，因为抽象层，即 AWS 控制台可以跟踪用户活动，以便哪个用户/服务提交 Lambda 的操作来触发以帮助查明问题.

注意

我不是专家，所以请纠正我的解释，因为我对 AWS 没有完全掌握，所以我可能在我的步骤或解释中犯了错误.但这就是我为解决我的特定问题所做的.

(发布后几分钟)

我的具体问题:

当我在 SQL 中进行直接调用时，它给了我以下错误输出，这使我进入了我概述的解决问题的步骤.

mysql>CALL mysql.lambda_async('arn:aws:lambda:us-region-1:02020202020:function:FuncSomeNameLambdaFunc', CONCAT('{ "subject" : "', 'subject contents', '", "message": "', '消息内容', '" }') );

ERROR 1873 (HY000):Lambda API 返回错误:缺少指定的 IAM 角色 (aws_default_lambda_role)

I've created a few Lambdas in AWS, and an Aurora RDS (publicly available). I couldn't execute lambdas (via call mysql.lambda_async).

When I tried that I got the error ERROR 1873: 1873: Lambda API returned error: Missing Credentials: Cannot instantiate Lambda Client.

I tried attaching an IAM role called aurora-lambdas where I set full access to RDS and Lambdas and a trusted relationship between those services, but after trying various configurations I still get the issue.

Do someone have successfully executed an AWS Lambda from RDS? Thanks :)

解决方案

The parameter key aws_default_lambda_role needs to have the full ARN value path of the role that is both attached to the Aurora Cluster and has the correct lambda access policy associated with it.

Firstly, Enable IAM DB Authentication Enabled which means your database user credentials can be managed through AWS IAM users and roles.

The steps to create the policy, create the role, attach the policy to the role, associate the role to the Aurora Cluster are as follows.

1. Create an IAM Policy to Access AWS Lambda Resources.

2. Create IAM Role to Allow Amazon Aurora to Access AWS Services with Policy attached.

3. Associate IAM Role with an Amazon Aurora MySQL DB Cluster that needs to use Lambda.

4. Set the cluster-level parameter key for the related AWS service to the ARN for the associated IAM role. Use step 10 from weblink 3 given above. Step 10 describes aws_default_s3_role, but we just need to look for aws_default_lambda_role.

5. Go to RDS Dashboard

6. Click Parameter Groups

7. Click Create Parameter Group

8. Select Parameter Group Family aurora5.6

9. Select Type DB Cluster Parameter Group

10. Type in text box desired configuration Group Name as someName56

11. Create and then Edit Parameters

12. Look for Parameter Name aws_default_lambda_role and type in the ARN for the IAM Role created in step 4 above.

Brief Explanation

It is important to remember that because of the abstraction layers involved, there are separations of IAM users, roles, and policies. A Policy can be attached to a user or role. but cannot be associated by itself with running instances like EC2 or RDS. To attach S3 or Lambda access to Code written on your local computer an IAM User with the appropriate policy attached must be used. To attach access to Amazon internal services then an IAM Role must be assigned to, for example, allow RDS Aurora Cluster DB trigger Lambda with a CALL MySQL.lambda_async Procedure. The RDS instance has the role of triggering a lambda function since it is internal to AWS it, therefore, must be assigned an IAM Role. The idea is to give minimum access unless more is needed, and how to change configuration files without having direct access to the RDS virtual machine. Therefore, Parameter Group Values need to be changed in order to make some of the configuration changes in the DB software without having to directly connect to the virtual machine. It is designed to be easier than the traditional method of using SSH or direct connection software. This also allows for greater accountability since the abstraction layer, i.e., the AWS console can track user activity so which user/service committed the action of Lambda to trigger to help pinpoint issues.

Note

I'm not an expert, so please correct my explanation as I don't have a full grasp on AWS so I could have made mistakes in either my steps or explanation. But this is what I did to resolve my particular issue.

EDIT: (Minutes after posting)

My Specific Issue:

When I made a direct call in SQL, it gave me the following error output which led me to the steps I outlined to resolve the issue.

mysql> CALL mysql.lambda_async('arn:aws:lambda:us-region-1:02020202020:function:FuncSomeNameLambdaFunc', CONCAT('{ "subject" : "', 'subject contents', '", "message" : "', 'Message Contents', '" }') );

ERROR 1873 (HY000): Lambda API returned error: Missing designated IAM role (aws_default_lambda_role)

这篇关于从 Aurora RDS 存储过程权限问题调用 AWS Lambda的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！