问题
I've created a few Lambdas in AWS, and an Aurora RDS (publicly available). I couldn't execute lambdas (via call mysql.lambda_async).
When I tried that I got the error ERROR 1873: 1873: Lambda API returned error: Missing Credentials: Cannot instantiate Lambda Client.
I tried attaching an IAM role called aurora-lambdas where I set full access to RDS and Lambdas and a trusted relationship between those services, but after trying various configurations I still get the issue.
Do someone have successfully executed an AWS Lambda from RDS? Thanks :)
回答1:
The parameter key aws_default_lambda_role needs to have the full ARN value path of the role that is both attached to the Aurora Cluster and has the correct lambda access policy associated with it.
Firstly, Enable IAM DB Authentication Enabled which means your database user credentials can be managed through AWS IAM users and roles.
The steps to create the policy, create the role, attach the policy to the role, associate the role to the Aurora Cluster are as follows.
1. Create an IAM Policy to Access AWS Lambda Resources.
2. Create IAM Role to Allow Amazon Aurora to Access AWS Services with Policy attached.
3. Associate IAM Role with an Amazon Aurora MySQL DB Cluster that needs to use Lambda.
4. Set the cluster-level parameter key for the related AWS service to the ARN for the associated IAM role. Use step 10 from weblink 3 given above. Step 10 describes aws_default_s3_role, but we just need to look for aws_default_lambda_role.
5. Go to RDS Dashboard
6. Click Parameter Groups
7. Click Create Parameter Group
8. Select Parameter Group Family aurora5.6
9. Select Type DB Cluster Parameter Group
10. Type in text box desired configuration Group Name as someName56
11. Create and then Edit Parameters
12. Look for Parameter Name aws_default_lambda_role and type in the ARN for the IAM Role created in step 4 above.
Brief Explanation
It is important to remember that because of the abstraction layers involved, there are separations of IAM users, roles, and policies. A Policy can be attached to a user or role. but cannot be associated by itself with running instances like EC2 or RDS. To attach S3 or Lambda access to Code written on your local computer an IAM User with the appropriate policy attached must be used. To attach access to Amazon internal services then an IAM Role must be assigned to, for example, allow RDS Aurora Cluster DB trigger Lambda with a CALL MySQL.lambda_async Procedure. The RDS instance has the role of triggering a lambda function since it is internal to AWS it, therefore, must be assigned an IAM Role. The idea is to give minimum access unless more is needed, and how to change configuration files without having direct access to the RDS virtual machine. Therefore, Parameter Group Values need to be changed in order to make some of the configuration changes in the DB software without having to directly connect to the virtual machine. It is designed to be easier than the traditional method of using SSH or direct connection software. This also allows for greater accountability since the abstraction layer, i.e., the AWS console can track user activity so which user/service committed the action of Lambda to trigger to help pinpoint issues.
Note
I'm not an expert, so please correct my explanation as I don't have a full grasp on AWS so I could have made mistakes in either my steps or explanation. But this is what I did to resolve my particular issue.
EDIT: (Minutes after posting)
My Specific Issue:
When I made a direct call in SQL, it gave me the following error output which led me to the steps I outlined to resolve the issue.
mysql>
CALL mysql.lambda_async('arn:aws:lambda:us-region-1:02020202020:function:FuncSomeNameLambdaFunc', CONCAT('{ "subject" : "', 'subject contents', '", "message" : "', 'Message Contents', '" }') );
ERROR 1873 (HY000): Lambda API returned error: Missing designated IAM role (aws_default_lambda_role)
回答2:
After doing a hard investigation we added the aws_default_lambda_role key with the IAM Role ARN as the value, to the RDS DB Cluster Parameter Group configuration file. Once done that, and the Role with the correct permissions now RDS can call the mysql lambda API successfully.
回答3:
I had a similar issue. After setting everything correctly, I was still getting Error Code: 63996. Lambda API returned error: Missing Credentials: Cannot instantiate Lambda Client. The parameters were not picked up correctly somehow. Just rebooting the instances fixed the issue.
回答4:
I setup : 'aws_default_lambda_role', 'arn:aws:iam::29XXXXXXX82:role/RDStoLAMDA'
**RDStoLAMDA :**
AmazonRDSDirectoryServiceAccess
RDSCloudHsmAuthorizationRole
Custom one - "lambda:InvokeFunction",
Aurora Version : '2.03.2' and IAM Authintication Enabled on Database side.
DROP PROCEDURE IF EXISTS SP_Submit_Attr_Status;
DELIMITER ;;
CREATE PROCEDURE SP_testing_Attr_Status (IN user_id VARCHAR(255), IN attr_id TEXT, IN action_name TEXT) LANGUAGE SQL
BEGIN
CALL mysql.lambda_async('arn:aws:lambda:ap-zzzz-1:*********182:function:dsg-aws-backend-customerWebhook',
'{"action": "SUBMIT_**_ATTR", "attrId": ****5, "actionBy": 12***5 }'
);
END
;;
DELIMITER ;
call SP_Submit_Attr_Status ( "***", "**rId","**nBy" );
Error Code: 63996. Lambda API returned error: Missing Credentials: Cannot instantiate Lambda Client
回答5:
Finally, it's working fine. Only one step was missed.
AWS Console > RDS > Select The Database Cluster > Scroll "Manage IAM roles"
Add the same IAM role which you add: aws_default_lambda_role there.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Lambda.html#AuroraMySQL.Integrating.NativeLambda
To permit database users in an Aurora MySQL DB cluster to invoke Lambda functions, associate the role that you created in Creating an IAM Role to Allow Amazon Aurora to Access AWS Services with the DB cluster. For information about associating an IAM role with a DB cluster, see Associating an IAM Role with an Amazon Aurora MySQL DB Cluster.
来源:https://stackoverflow.com/questions/44659145/call-aws-lambda-from-aurora-rds-stored-procedure-permissions-issue