从 VPC 中的 Lambda 访问 AWS S3 [英] Access AWS S3 from Lambda within VPC

问题描述

总的来说，我对在 VPC 中使用 AWS Lambda 感到非常困惑.问题是 Lambda 在尝试访问 S3 存储桶时超时.解决方案似乎是 VPC Endpoint.

Overall, I'm pretty confused by using AWS Lambda within a VPC. The problem is Lambda is timing out while trying to access an S3 bucket. The solution seems to be a VPC Endpoint.

我已将 Lambda 函数添​​加到 VPC，以便它可以访问 RDS 托管数据库(以下代码中未显示，但可以正常使用).但是，现在我无法访问 S3 并且任何尝试这样做都会超时.

I've added the Lambda function to a VPC so it can access an RDS hosted database (not shown in the code below, but functional). However, now I can't access S3 and any attempt to do so times out.

我尝试创建 VPC S3 端点，但没有任何改变.

I tried creating a VPC S3 Endpoint, but nothing has changed.

VPC 配置

每当我第一次创建 EC2 实例时，我都会使用默认创建的简单 VPC.它有四个子网，都是默认创建的.

I'm using a simple VPC created by default whenever I first made an EC2 instance. It has four subnets, all created by default.

VPC 路由表

_Destination - Target - Status - Propagated_

172.31.0.0/16 - local - Active - No

pl-63a5400a (com.amazonaws.us-east-1.s3) - vpce-b44c8bdd - Active - No

0.0.0.0/0 - igw-325e6a56 - Active - No

简单的 S3 下载 Lambda:

import boto3
import pymysql
from StringIO import StringIO

def lambda_handler(event, context):
    s3Obj = StringIO()

    return boto3.resource('s3').Bucket('marineharvester').download_fileobj('Holding - Midsummer/sample', s3Obj)

推荐答案

使用 boto3，默认情况下 S3 网址是虚拟，然后需要将互联网访问解析为特定于区域的网址.这会导致 Lambda 函数挂起直到超时.

With boto3, the S3 urls are virtual by default, which then require internet access to be resolved to region specific urls. This causes the hanging of the Lambda function until timeout.

要解决这个问题，需要在创建客户端时使用 Config 对象，它告诉 boto3 创建基于 path 的 S3 url:

To resolve this requires use of a Config object when creating the client, which tells boto3 to create path based S3 urls instead:

import boto3 
import botocore

client = boto3.client('s3', 'ap-southeast-2', config=botocore.config.Config(s3={'addressing_style':'path'}))

请注意，调用中的区域必须是您要将 lambda 和 VPC 端点部署到的区域.

Note that the region in the call must be the region to which you are deploying the lambda and VPC Endpoint.

然后您就可以在 Lambda 的安全组中使用 VPC Endpoint 的 pl-xxxxxx 前缀列表，并且仍然可以访问 S3.

Then you will be able to use the pl-xxxxxx prefix list for the VPC Endpoint within the Lambda's security group, and still access S3.

这是一个有效的 CloudFormation 脚本，演示了这一点.它会创建一个 S3 存储桶、一个与仅包含私有子网和 VPC 端点以及必要 IAM 角色的 VPC 关联的 lambda(将记录放入存储桶).

Here is a working CloudFormation script that demonstrates this. It creates an S3 bucket, a lambda (that puts records into the bucket) associated to a VPC containing only private subnets and the VPC Endpoint, and necessary IAM roles.

这篇关于从 VPC 中的 Lambda 访问 AWS S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！