[英]Create VPC endpoint for S3 bucket lambda access using AWS CDK
I am building a system using Python flavored AWS CDK
.我正在使用 Python 风格的AWS CDK
构建系统。
I have a lambda function with an attached EFS
.我有一个带有EFS
的 lambda function 。 To use EFS
, I am required to put the lambda function inside a VPC.要使用EFS
,我需要将 lambda function 放入 VPC。 The problem is, I also want this lambda function to retrieve files from a particular S3
bucket (in the same region).问题是,我还希望这个 lambda function 从特定的S3
存储桶(在同一区域)中检索文件。 I am getting Timeout errors when doing the retrieval, and upon some research it seems that I need either a NAT Gateway
(too expensive) or a VPC endpoint to allow access.我在进行检索时遇到超时错误,经过一些研究,我似乎需要一个NAT Gateway
(太贵)或一个 VPC 端点来允许访问。
How can I build a VPC endpoint
in CDK to allow my lambda function to talk to my S3
bucket?如何在 CDK 中构建VPC endpoint
以允许我的 lambda function 与我的S3
存储桶通信?
Edit: The comment below from @gshpychka is correct - only the gateway_endpoint
in the vpc definition is required.编辑:@gshpychka 下面的评论是正确的——只需要 vpc 定义中的gateway_endpoint
。
Here is what I came up with that seems to work after following the ideas in this guide.在遵循本指南中的想法后,这是我想出的似乎可行的方法。
You need to create both an S3 access point
as well as a VPC Endpoint
.您需要同时创建S3 access point
和VPC Endpoint
。
You make the VPC Endpoint
when creating the VPC.您在创建 VPC 时创建VPC Endpoint
。 This allows S3 buckets to be accessible from the VPC.这允许从 VPC 访问 S3 存储桶。 You can later add a policy to restrict this access.您可以稍后添加策略来限制此访问。
self.vpc = ec2.Vpc(
scope=self,
id="VPC",
vpc_name="my_VPC",
gateway_endpoints={
"s3": ec2.GatewayVpcEndpointOptions(
service=ec2.GatewayVpcEndpointAwsService.S3
)
},
nat_gateways=0,
)
You later create an S3 access point
after creating the S3 bucket.您稍后在创建 S3 存储桶后创建一个S3 access point
。 This allows access to the bucket.这允许访问存储桶。
self.bucket_access = s3.CfnAccessPoint(
scope=self,
id="s3_access",
bucket=self.my_bucket.bucket_name,
name="bucket-access-point",
vpc_configuration=s3.CfnAccessPoint.VpcConfigurationProperty(
vpc_id=self.vpc.vpc_id
),
)
export class YourStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = ec2.Vpc.fromLookup(this, 'vpc', { isDefault: true });
const s3BucketAcessPoint = vpc.addGatewayEndpoint('s3Endpoint', {
service: ec2.GatewayVpcEndpointAwsService.S3,
});
s3BucketAcessPoint.addToPolicy(
new iam.PolicyStatement({
principals: [new iam.AnyPrincipal()],
actions: ['s3:*'],
resources: ['*'],
}),
);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.