问题
I am trying to connect to my AWS Aurora DB. Following the documentation guide 3 times over I recieved the same timeout error on the mysql connetiontion. After digging in, it seems that my lambda function is simply not joining the VPC.
I will list some outputs (with unnecessary lines removed) to show how I came to this conclusion.
If anyone can point out where I went wrong in my configuration. Please let me know. Before anyone mentions it, yes, I have checked the db program variables many times; it has to be a configuration issue.
Role:
$ aws lambda get-function-configuration --function-name "test" --output json
{
"FunctionName": "test",
"VpcConfig": {
"SubnetIds": [
"subnet-560b810e",
...
],
"VpcId": "vpc-c3e2f3a7",
"SecurityGroupIds": [
"sg-e029969a"
]
},
"Role": "arn:aws:iam::141066641105:role/test"
}
Attached Policy List:
$ aws iam list-attached-role-policies --role-name test --output json
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
]
}
VPC:
$ aws ec2 describe-vpcs --vpc-ids "vpc-c3e2f3a7" --output json
{
"Vpcs": [
{
"VpcId": "vpc-c3e2f3a7",
"State": "available",
"CidrBlock": "172.31.0.0/16",
}
]
}
Security Group:
$ aws ec2 describe-security-groups --group-ids "sg-e029969a" --output json
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 0,
"IpRanges": [],
"ToPort": 65535,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "141066641105",
"GroupId": "sg-e029969a"
}
]
},
],
"GroupName": "db-access",
"VpcId": "vpc-c3e2f3a7",
"OwnerId": "141066641105",
"GroupId": "sg-e029969a"
}
]
}
IP Address python code:
import socket
response = socket.gethostbyname('test.db')
logger.log("test.db IP: " + response)
import subprocess
command = "/sbin/ip addr show"
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=None, shell=True)
response = process.communicate()
logger.error("IP command: " + response[0])
IP Address output:
test.db IP: 172.31.29.170
IP command: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
57: vinternal_19@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8a:ae:cc:86:d7:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet 169.254.76.37/23 scope global vinternal_19
valid_lft forever preferred_lft forever
60: vtarget_10@if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 72:6b:24:a0:47:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 169.254.79.1/32 scope global vtarget_10
valid_lft forever preferred_lft forever
As you can see, for some reason I am getting 169.254.x.x address instead of the VPC's 172.31.x.x. Also to note is that the DB is apart of the same security group in the same VPC.
回答1:
Your Security Group is shown empty IpPermissionsEgress.
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
...
If I'm reading it correctly, that means all outbound traffic is blocked.
Egress rules are traditionally opened to all traffic, on the assumption that you can trust what is running on your Amazon EC2 instance. So, you could either open it to all traffic, or at least to the systems you wish to communicate.
来源:https://stackoverflow.com/questions/43125647/aws-lambda-function-not-joining-vpc