无法通过 Lambda 中的 VPC 端点访问 S3 [英] Can not access S3 via VPC endpoint in Lambda

问题描述

我的 VPC 中有一个 Lambda 函数，我想访问 S3 存储桶.

I have a Lambda function in my VPC, and I want to access S3 bucket.

我认为我已经正确设置了 S3 VPC 端点，

I have set S3 VPC endpoint correctly I think,

因为我在同一个子网(Lambda 函数子网)中创建了一个 EC2 实例，

because I created an EC2 instance in the same subnet(Lambda function subnet),

使用相同的安全组，

并运行 Lambda 函数代码的副本，

and run the copy of Lambda function code,

可以正确显示S3文件内容.

但是当我在 Lambda 中运行代码时，它失败了.

But when I run the code in Lambda, it failed.

那么，我想知道在 EC2 中运行"和在 Lambda 中运行"有什么区别?

为什么我在 Lambda 中运行它会失败?

Why it failed when I run it in Lambda?

这是我的 Lambda 函数代码:

Here is my Lambda function code:

import boto3

s3 = boto3.client('s3', region_name='ap-northeast-1')

def lambda_handler(event, context):
    bucket = '*xxxxxx*'
    key = 's3-upload.json'
    try:
        response = s3.get_object(Bucket=bucket, Key=key)
        print('--------------------------------------')
        print(response)
        print('--------------------------------------')
        body = response['Body'].read()
        print(body)
        print('--------------------------------------')
        print("CONTENT TYPE: " + response['ContentType'])

    except Exception as e:
        print('Error getting object.')
        print(e)
        raise e

推荐答案

如果您想允许 AWS Lambda 访问 Amazon S3，请使用以下方法之一:

If you want to allow an AWS Lambda to access Amazon S3, use one of these methods:

• 不要将函数关联到 VPC.然后访问是自动的.
• 如果该函数附加到 VPC 中的公有子网，请将 弹性 IP 关联到出现在 VPC 中的 Lambda 函数的 ENI(不推荐)
• 如果该函数附加到 VPC 中的私有子网，则在公共子网中启动 NAT 网关并更新路由表.流量将通过 NAT 网关流向互联网.
• 在 VPC 中添加 Amazon S3 VPC 终端节点并更新路由表.流量将通过它而不是互联网网关.

• Do not associate the function to a VPC. Access is then automatic.
• If the function is attached to a public subnet in the VPC, associate an Elastic IP to the Lambda function's ENI that appears in the VPC (Not recommended)
• If the function is attached to a private subnet in the VPC, launch a NAT Gateway in the public subnet and update Route Tables. Traffic will flow to the Internet via the NAT Gateway.
• Add an Amazon S3 VPC Endpoint in the VPC and update Route Tables. Traffic will flow through that instead of the Internet Gateway.

这篇关于无法通过 Lambda 中的 VPC 端点访问 S3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！