堆栈内存溢出
  简体   繁体   English

使用 AWS CDK 为 S3 存储桶 lambda 访问创建 VPC 终端节点

[英]Create VPC endpoint for S3 bucket lambda access using AWS CDK

 原文  2022-04-28 04:40:41       amazon-web-services/ amazon-s3/ aws-cdk

问题描述

I am building a system using Python flavored AWS CDK .我正在使用 Python 风格的AWS CDK构建系统。

I have a lambda function with an attached EFS .我有一个带有EFS的 lambda function 。 To use EFS , I am required to put the lambda function inside a VPC.要使用EFS ,我需要将 lambda function 放入 VPC。 The problem is, I also want this lambda function to retrieve files from a particular S3 bucket (in the same region).问题是,我还希望这个 lambda function 从特定的S3存储桶(在同一区域)中检索文件。 I am getting Timeout errors when doing the retrieval, and upon some research it seems that I need either a NAT Gateway (too expensive) or a VPC endpoint to allow access.我在进行检索时遇到超时错误,经过一些研究,我似乎需要一个NAT Gateway (太贵)或一个 VPC 端点来允许访问。

How can I build a VPC endpoint in CDK to allow my lambda function to talk to my S3 bucket?如何在 CDK 中构建VPC endpoint以允许我的 lambda function 与我的S3存储桶通信?

2 个解决方案

解决方案1
 0 已采纳  2022-04-28 08:26:26

Edit: The comment below from @gshpychka is correct - only the gateway_endpoint in the vpc definition is required.编辑:@gshpychka 下面的评论是正确的——只需要 vpc 定义中的gateway_endpoint

Here is what I came up with that seems to work after following the ideas in this guide.在遵循本指南中的想法后,这是我想出的似乎可行的方法。

You need to create both an S3 access point as well as a VPC Endpoint .您需要同时创建S3 access pointVPC Endpoint

You make the VPC Endpoint when creating the VPC.您在创建 VPC 时创建VPC Endpoint This allows S3 buckets to be accessible from the VPC.这允许从 VPC 访问 S3 存储桶。 You can later add a policy to restrict this access.您可以稍后添加策略来限制此访问。

self.vpc = ec2.Vpc(
    scope=self,
    id="VPC",
    vpc_name="my_VPC",
    gateway_endpoints={
        "s3": ec2.GatewayVpcEndpointOptions(
            service=ec2.GatewayVpcEndpointAwsService.S3
        )
    },
    nat_gateways=0,
)

You later create an S3 access point after creating the S3 bucket.您稍后在创建 S3 存储桶后创建一个S3 access point This allows access to the bucket.这允许访问存储桶。

self.bucket_access = s3.CfnAccessPoint(
    scope=self,
    id="s3_access",
    bucket=self.my_bucket.bucket_name,
    name="bucket-access-point",
    vpc_configuration=s3.CfnAccessPoint.VpcConfigurationProperty(
        vpc_id=self.vpc.vpc_id
    ),
)

解决方案2
 0  2022-08-04 20:46:58

export class YourStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'vpc', { isDefault: true });

    const s3BucketAcessPoint = vpc.addGatewayEndpoint('s3Endpoint', {
      service: ec2.GatewayVpcEndpointAwsService.S3,
    });

    s3BucketAcessPoint.addToPolicy(
      new iam.PolicyStatement({
        principals: [new iam.AnyPrincipal()],
        actions: ['s3:*'],
        resources: ['*'],
      }),
    );
}
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Glue:使用 VPC 端点附加 VPC 以访问 S3 - AWS Glue: attaching a VPC to access S3 using VPC endpoint 使用VPC端点的AWS S3访问 - Aws s3 access using vpc-endpoint 使用 AWS lambda [CDK] 访问 S3 中的对象 - Access objects in S3 using AWS lambda [CDK] VPC中的AWS Lambda函数不适用于S3端点 - AWS Lambda Function in VPC Not Working With S3 Endpoint python cdk 在 s3 存储桶上创建 lambda 触发器 - python cdk to create lambda trigger on s3 bucket 如何使用Java在AWS Lambda函数中创建S3存储桶 - How to create S3 bucket in AWS lambda function using Java 使用 VPC 终端节点 URL 上传 Amazon S3 存储桶中的文件 - Uploading a file in an Amazon S3 bucket using the VPC endpoint URL 配置AWS Lambda以访问S3 Bucket - Configuring AWS Lambda to access S3 Bucket 无法通过 Lambda 中的 VPC 端点访问 S3 - Can not access S3 via VPC endpoint in Lambda AWS Lambda 在 S3 存储桶中创建文件夹 - AWS Lambda create folder in S3 bucket
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM