提问人:Sree Teja 提问时间:10/25/2023 更新时间:10/25/2023 访问量:27
无法从 VPC 私有子网内的 Lambda 发布到 SNS 主题
Unable to publish to SNS Topic from Lambda inside private subnet of VPC
问:
我有一个 lambda 函数,它需要访问在我的 VPC 的私有子网上运行的 EC2。因此,我将 lambda 与 VPC 的私有子网相关联。我的 lambda 还需要发布到 SNS 主题。我什至为 SNS 访问配置了 SNS VPC 接口终端节点。但是我无法从这个 lambda 发布到 SNS。我做错了什么?这是我的配置。
resource "aws_vpc_endpoint" "sns" {
vpc_id = VPC_ID
service_name = "com.amazonaws.ca-central-1.sns"
vpc_endpoint_type = "Interface"
private_dns_enabled = true
subnet_ids = [
PRIVATE_SUBNET_ID
]
security_group_ids = [
SECURITY_GROUP_FOR_PRIVATE_EC2_ID
]
}
resource "aws_eip" "nat_eip" {
domain = "vpc"
tags = {
Name = "TAG"
}
depends_on = [aws_internet_gateway.db_proxy]
}
resource "aws_nat_gateway" "db_proxy" {
allocation_id = aws_eip.nat_eip.id
subnet_id = PUBLIC_SUBNET_ID
tags = {
Name = "TAG"
}
depends_on = [aws_internet_gateway.db_proxy]
}
# Route Table associated with Private Subnet
resource "aws_route_table" "db_proxy_private" {
vpc_id = VPC_ID
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.db_proxy.id
}
tags = {
Name = "TAG"
}
}
# Security group associated with Private EC2.
resource "aws_security_group" "db_proxy_sg_private" {
name = NAME
description = "Managed by Terraform"
vpc_id = VPC_ID
# To Allow SSH Transport
ingress {
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
description = "Whitelisted SSH IPs"
}
# To Allow Port 80 Transport
ingress {
from_port = 80
protocol = "tcp"
to_port = 80
cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
description = "Outgoing HTTP transport"
}
# Open port 8000 for external access
ingress {
from_port = 8000
protocol = "tcp"
to_port = 8000
cidr_blocks = ["10.0.1.0/24"] // Public Subnet CIDR
description = "EC2 HTTP port"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
lifecycle {
create_before_destroy = true
}
}
假设 Lambda 已成功与私有子网和私有安全组关联。Lambda 配置未在此处附加。
当 lambda 与私有子网关联时,我的 SNS 调用超时。解离后,它会按预期工作。我假设配置 SNS VPC 接口终端节点有问题。
答:
0赞
Ankush Jain
10/25/2023
#1
看来,Lambda 函数缺少 IAM 权限。VPC 中的 Lambda 函数需要以下权限才能正常工作。
执行角色权限
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
这些权限包含在 AWS 托管策略 AWSLambdaVPCAccessExecutionRole 中。
因此,请确保 Lambda 函数的 IAM 角色附加了此托管策略。
评论
1赞
Mark B
10/25/2023
缺少 IAM 权限不会导致超时,而是会导致权限被拒绝错误。
0赞
Sree Teja
10/25/2023
是的,我完全同意@MarkB。我已经配置了 IAM 权限以创建网络接口。我遇到了超时问题,我怀疑这与与 SNS VPC 接口终端节点关联的安全组有关。
评论
[10.0.1.0/24]
[10.0.2.0/24]
[10.0.0.0/16]
443