尝试使用 VPC 终端节点从私有子网承担 AWS sts 角色时请求超时
当我调用 AWS sts 来承担 lambda 函数中的角色时,该函数在 VPC 上的私有子网中运行,并为 STS 配置了端点。但是,我的请求超时了。
我的设置如下:
- 我运行附加到 VPC 中的私有子网和安全组的 lambda
- 因为子网是私有的,所以我配置了 VPC 端点以访问 com.amazonaws.eu-west-1 上的 STS .sts
- 我的 lambda 是使用旧版
sdk-for-gov1 api 在 golang 中编写的:https://docs.aws.amazon.com/sdk-for-go/api / - 我还配置了一个 VPC 端点来访问 S3,它可以正常工作。
我的 VPC 端点的 terraform 配置是:
resource "aws_vpc_endpoint" "xxxx-sts" {
vpc_id = aws_vpc.xxxx.id
service_name = "com.amazonaws.eu-west-1.sts"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.xxxx.id]
subnet_ids = [aws_subnet.xxxx.id]
private_dns_enabled = true
}
When I'm calling AWS sts to assume a role in a lambda function running in a private subnet on a VPC with an Endpoint configured for STS. However, my request times out.
My setup is as follows:
- I run a lambda attached to a private subnet and security group in a VPC
- Because the subnet is private, I've configured a VPC Endpoint to access STS on
com.amazonaws.eu-west-1.sts - My lambda is written in golang using the older
sdk-for-gov1 api: https://docs.aws.amazon.com/sdk-for-go/api/ - I've also configered a VPC Endpoint to access S3 which works without problems
My terraform configuration for the VPC endpoint is:
resource "aws_vpc_endpoint" "xxxx-sts" {
vpc_id = aws_vpc.xxxx.id
service_name = "com.amazonaws.eu-west-1.sts"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.xxxx.id]
subnet_ids = [aws_subnet.xxxx.id]
private_dns_enabled = true
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
要解决此问题,请将以下 ENV 键/值添加到您的 lambda 或应用程序环境:
这会强制 AWS 开发工具包在调用 STS 时使用区域终端节点而不是全局终端节点,如下所述:https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
否则,Go SDK 将默认使用全局 sts 端点
https://sts.amazonaws.com适用于eu-west-1等区域(这种情况发生在以下区域:ap-northeast-1、 ap-south-1、ap-southeast-1、ap-southeast-2、aws-global、ca-central-1、eu-central-1、eu-north-1、eu-west-1、eu-west- 2、eu-west-3、sa-east-1、us-east-1、us-east-2、us-west-1 和 us-west-2)STS VPC端点仅针对区域 URL 配置,因此当程序尝试访问私有子网中的全局 URL 时,将无法建立连接并超时。
To fix this problem, add the following ENV key/value to your lambda or application environment:
This forces the AWS SDK to use regional rather than global endpoints when calling STS as documented here: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
What happens otherwise is that the Go SDK will default to using the global sts endpoint
https://sts.amazonaws.comfor regions such aseu-west-1(This happens in the following regions:ap-northeast-1, ap-south-1, ap-southeast-1, ap-southeast-2, aws-global, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, sa-east-1, us-east-1, us-east-2, us-west-1, and us-west-2)The STS VPC Endpoint is configured only for regional URLs and so when the program tries to access a global URL in a private subnet, a connection can't be established and times out instead.