stackoom
  简体   繁体   中英

IAM role connectivity between Lambda and Mongo Atlas Serverless using AWS SAM

 原文  2022-11-07 16:26:58       mongodb/ aws-lambda/ amazon-iam/ mongodb-atlas

Question

Problem Statement

I am currently attempting to establish a connection with MongoDB using the IAM Role as described here . The problem statement is that I am unsure of the process required to ensure the connection works from an AWS perspective using Lambda.

Background info

I've created an IAM Role using AWS SAM.

MongoDBReadWriteAccess:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MongoDBReadWriteAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::<atlast aws account ID>:root
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: <external ID>

I attempt to retrieve the keys from the env variables in my application logic

 aws_access_key_id = os.getenv("AWS_ACCESS_KEY_ID")
 aws_secret_access_key = os.getenv("AWS_SECRET_ACCESS_KEY")
 aws_session_token = os.getenv("AWS_SESSION_TOKEN")

I create the connection

url_connection = f"mongodb+srv://{access_key_URI}:{secret_key_URI}@{server_name}.ozmat.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:{session_token_URI}"

However the role that I created isn't the assumed role at execution time.


 OperationFailure: bad auth : user arn:aws:sts::<id>:assumed-role/<incorrect_role_name>/* is not found, full error: {'ok': 0, 'errmsg': 'bad auth : user arn:aws:sts::<id>:assumed-role/<incorrect_role_name> is not found', 'code': 8000, 'codeName': 'AtlasError'}
                                Traceback (most recent call last):

I've attempted to assign the role using SAM

StepPlanCRUD:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Role: !GetAtt MongoDBReadWriteAccess.Arn

but I get the following error on deploy:

"The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, ...

Please can somebody detail the steps required in order to allow connectivity between Lambda and Atlas from an AWS perspective?

1 answers

solution1
 0  2023-01-04 12:46:16

First assign policy for lambda that allows to assume MongoDBAtlas role that you have created

Eg

    PolicyName: AssumeMongoDBReadWriteAccessRole
    PolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Resource: 
          Fn::GetAtt:
            - MongoDBReadWriteAccess
            - Arn
      Version: 2012-10-17

Then, inside lambda code, use AWS CLI command aws sts assume-role to assume that role and retrieve keys (AccessKeyID, SecretAccessKey, SessionToken). Now you can use them to open a connection.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Giving a Lambda a role in AWS SAM AWS Lambda and MongoDB Atlas Connectivity Issue Difference between IAM role and IAM user in AWS Limiting Lambda Permissions using AWS SAM and DynamoDB Specify multiple API stages and Lambda Aliases in SAM template defining a single AWS::Serverless::Function Deploying AWS Lambda "Hello World" using sam init, sam build sam deploy defaults fails with Failed to create changeset for sam-app CloudFormation template - Using existing IAM role in for Lambda functions What's the difference between AWS sam build and sam package when using SAM? Is it possible to publish a new version for aws lambda using SAM cli Referencing an AWS Lambda's role inside a SAM Template (CF Stack) YAML
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM