堆栈内存溢出
  简体   繁体   English

AWS Lambda 和 MongoDB Atlas 连接问题

[英]AWS Lambda and MongoDB Atlas Connectivity Issue

 原文  2023-01-03 13:49:05       java/ mongodb/ aws-lambda

问题描述

I want to create a connection to MongoDB Atlas from an AWS Lambda function. The AWS Lambda function I created is not able to connect to MongoDB Atlas using an IAM connection.我想从 AWS Lambda function 创建到 MongoDB Atlas 的连接。我创建的 AWS Lambda function 无法使用 IAM 连接连接到 MongoDB Atlas。

The following Java exception is thrown after attempting to connect to MongoDB Atlas.尝试连接到 MongoDB Atlas 后抛出以下 Java 异常。

com.mongodb.MongoSocketOpenException: Exception opening socket
    at com.mongodb.internal.connection.SocketStream.open(SocketStream.java:73) ~[mongodb-driver-core-4.8.1.jar:?]
    at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:183) ~[mongodb-driver-core-4.8.1.jar:?]
    at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:198) [mongodb-driver-core-4.8.1.jar:?]
    at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:158) [mongodb-driver-core-4.8.1.jar:?]
    at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.net.SocketTimeoutException: connect timed out
    at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) ~[?:?]
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source) ~[?:?]
    at java.net.SocksSocketImpl.connect(Unknown Source) ~[?:?]
    at java.net.Socket.connect(Unknown Source) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) ~[?:?]
    at com.mongodb.internal.connection.SocketStreamHelper.initialize(SocketStreamHelper.java:107) ~[mongodb-driver-core-4.8.1.jar:?]
    at com.mongodb.internal.connection.SocketStream.initializeSocket(SocketStream.java:82) ~[mongodb-driver-core-4.8.1.jar:?]
    at com.mongodb.internal.connection.SocketStream.open(SocketStream.java:68) ~[mongodb-driver-core-4.8.1.jar:?]
    ... 4 more

Here's my Java code that I currently use to establish a connection to MongoDB Atlas这是我目前用于建立与 MongoDB Atlas 连接的 Java 代码


    final String accessKeyId = System.getenv("AWS_ACCESS_KEY_ID");
    final String secretAccessKey = System.getenv("AWS_SECRET_ACCESS_KEY");
    final Regions region = Regions.US_EAST_1;
    final BasicAWSCredentials credentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);

    final AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
      .withCredentials(new AWSStaticCredentialsProvider(credentials))
      .withRegion(region)
      .build();

    final AssumeRoleRequest roleRequest = new AssumeRoleRequest()
      .withRoleArn("<Role ARN>")
      .withRoleSessionName("my-session");
    final AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
    final Credentials sessionCredentials = roleResponse.getCredentials();
    final ConnectionString connectionString
      = new ConnectionString("mongodb+srv://" + accessKeyId + ":" + secretAccessKey
      + "@cluster.e.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:"
      + stsClient.getSessionToken().getCredentials().getSessionToken());
    final MongoClientSettings settings = MongoClientSettings.builder()
      .applyConnectionString(connectionString)
      .serverApi(ServerApi.builder()
        .version(ServerApiVersion.V1)
        .build())
      .build();
    return MongoClients.create(settings);

Here's the IAM policy that is being used:这是正在使用的 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:*",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:***:kuungana-fn-api-log:*",
                "arn:aws:iam::***:role/KuunganaApiRole",
                "arn:aws:iam::***:user/user1"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:***:log-group:/aws/lambda/events_get:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:DecodeAuthorizationMessage",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:GetServiceBearerToken",
                "sts:GetSessionToken"
            ],
            "Resource": "*"
        }
    ]
}

Here's the trust relationships for KuunganaApiRole:这是 KuunganaApiRole 的信任关系:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***:user/user1"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:sts::***:assumed-role/KuunganaApiRole/events_create"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

1 个解决方案

解决方案1
 0  2023-01-03 13:59:05

This is likely not a permission issue but more of a.network access issue.这可能不是权限问题,而是更多的网络访问问题。

  1. If your Lambda is within a VPC then ensure it is allowed access to the MongoDB Atlas, su.nets and ACL's should permit access.如果您的 Lambda 在 VPC 内,则确保允许它访问 MongoDB Atlas,su.nets 和 ACL 应该允许访问。
  2. If Lambda is not within a VPC, then ensure your cluster has access to the public inte.net 0.0.0.0/0如果 Lambda 不在 VPC 内,请确保您的集群可以访问公共 inte.net 0.0.0.0/0

https://www.mongodb.com/docs/atlas/manage-connections-aws-lambda/ https://www.mongodb.com/docs/atlas/manage-connections-aws-lambda/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Lambda 和使用 AWS SAM 的 Mongo Atlas Serverless 之间的 IAM 角色连接 - IAM role connectivity between Lambda and Mongo Atlas Serverless using AWS SAM 如何通过 AWS Lambda 将 MongoDB Atlas 中的 PNG 加载到 Unity 图像中? - How to load a PNG from MongoDB Atlas into a Unity Image via AWS Lambda? 将 AWS Glue 连接到 Mongodb Atlas 集群 - Connecting AWS Glue to Mongodb Atlas Cluster 将 MongoDB Atlas 集群连接到 2 个 AWS VPC - Connecting a MongoDB Atlas cluster to 2 AWS VPCs Terraform Lambda in VPC (Peered with MongoDB Atlas) 连接NAT网关 - Terraform Lambda in VPC (Peered with MongoDB Atlas) Connection NAT Gateway MongoDB 来自 AWS 的连接 Lambda - MongoDB connections from AWS Lambda AWS Lambda 存储问题 - AWS Lambda storage issue AWS VPC Lambda 网络问题 - AWS VPC Lambda Networking Issue AWS CDN + Lambda@Edge MimeType 问题 - AWS CDN + Lambda@Edge MimeType Issue Spring Boot 应用程序的 AWS Lambda 超时问题 - AWS Lambda timeout issue with spring boot application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM