1. 技术文章
  2. Unable to connect to S3 from Lambda/Python/Boto3 when VPC is enabled

Unable to connect to S3 from Lambda/Python/Boto3 when VPC is enabled

孤人 提交于 2020-01-16 18:23:10

问题


I have a very simple python function in a lambda which runs fine if I leave VPC disabled.

import json
import boto3
import botocore

    def lambda_handler(event, context):

    s3 = boto3.client('s3', 'us-east-1', config=botocore.config.Config(s3={'addressing_style':'path'}))
    keys = []
    resp = s3.list_objects_v2(Bucket='[BUCKET_NAME]')
    for obj in resp['Contents']:
        print(obj['Key'])

    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }

When VPC is enabled the S3 connection continually times out.

I have gone through many documents, tutorials, forum threads and stack overflow postings, but none of them have helped me.

My network ACL has 0.0.0.0/0 mappings for ports 80, 443 and 5439 (Redshift).

My one and only security group has 0.0.0.0/0 mappings for ports 80, 443 and 5439 (Redshift).

I have only one VPC configured.

I have 1 NAT Gateway configured.

I have 1 Internet Gateway configured.

I have 6 subnets in the VPC:

  • Subnets A and B point to the main route table.
  • Subnets C and D point to the 'lambda_rt_table_gateway' route table.
  • Subnets E and F point to the 'lambda_rt_table_nat' route table.

I have 2 endpoints in the VPC:

  • Endpoint VPCE-A is defined for service 'com.amazonaws.us-east-1.s3' and is mapped to all 3 route tables.
  • Endpoint VPCE-B is defined for service 'com.amazonaws.us-east-1.dynamodb' and is mapped to all 3 route tables.

Finally, I have 3 Route Tables:

  • The main route table has the following routes:

    • 172.31.0.0/1 --> local
    • pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb, 52.94.0.0/22, 52.119.224.0/20) --> vpce-07a6eb423bbbea151
    • pl-63a5400a (com.amazonaws.us-east-1.s3, 54.231.0.0/17, 52.216.0.0/15) --> vpce-0fd10c890bb176b5a
    • 0.0.0.0/0 --> igw-04b6aa7c

  • The 'lambda_rt_table_gateway' route table has identical routes as the main.

  • The 'lambda_rt_table_nat' route table has identical routes as well except for the last entry, it is
    • 0.0.0.0/0 --> nat-0a5c0a76e3c12c42f

I am pretty sure it is something simple I'm missing. Please help.

Thanks a lot.


回答1:


You have a lot of stuff configured! I'm not sure how much of it is part of wanting to get this specific situation fixed, or whether you have other needs for things like the NAT Gateway, VPC Endpoints, etc.

The simplest setup to enable a VPC-connected Lambda function to call out to the Internet (eg to make an API call to Amazon S3) would be:

  • Add a NAT Gateway to a Public subnet
  • Attach the Lambda function to a Private subnet
  • Set routing on the private subnet to use the NAT Gateway for 0.0.0.0/0

That is sufficient for VPC-attached Lambda functions to reach the Internet.



来源:https://stackoverflow.com/questions/54546173/unable-to-connect-to-s3-from-lambda-python-boto3-when-vpc-is-enabled

标签
amazon-web-services
amazon-s3
aws-lambda
amazon-vpc
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!