当尝试使用AWS sts从私有子网使用VPC终端点假定角色时,请求超时。

huangapple go评论105阅读模式
英文:

Request times out when try to assume a role with AWS sts from a private subnet using a VPC Endpoint

问题

当我在运行在VPC的私有子网上的Lambda函数中调用AWS sts来扮演一个角色时,我遇到了超时的问题。

我的设置如下:

  • 我在VPC中运行一个附加到私有子网和安全组的Lambda函数
  • 由于子网是私有的,我已经配置了一个VPC终端节点来访问com.amazonaws.eu-west-1.sts上的STS。
  • 我的Lambda函数是用旧版的sdk-for-go v1 API编写的,文档链接:https://docs.aws.amazon.com/sdk-for-go/api/
  • 我还配置了一个VPC终端节点来访问S3,没有任何问题。

我的VPC终端节点的Terraform配置如下:

resource "aws_vpc_endpoint" "xxxx-sts" {
  vpc_id              = aws_vpc.xxxx.id
  service_name        = "com.amazonaws.eu-west-1.sts"
  vpc_endpoint_type   = "Interface"
  security_group_ids  = [aws_security_group.xxxx.id]
  subnet_ids          = [aws_subnet.xxxx.id]
  private_dns_enabled = true
}

请注意,以上是您要翻译的内容。

英文:

When I'm calling AWS sts to assume a role in a lambda function running in a private subnet on a VPC with an Endpoint configured for STS. However, my request times out.

My setup is as follows:

  • I run a lambda attached to a private subnet and security group in a VPC
  • Because the subnet is private, I've configured a VPC Endpoint to access STS on com.amazonaws.eu-west-1.sts
  • My lambda is written in golang using the older sdk-for-go v1 api: https://docs.aws.amazon.com/sdk-for-go/api/
  • I've also configered a VPC Endpoint to access S3 which works without problems

My terraform configuration for the VPC endpoint is:

resource "aws_vpc_endpoint" "xxxx-sts" {
  vpc_id = aws_vpc.xxxx.id
  service_name = "com.amazonaws.eu-west-1.sts"
  vpc_endpoint_type = "Interface"
  security_group_ids = [aws_security_group.xxxx.id]
  subnet_ids = [aws_subnet.xxxx.id]
  private_dns_enabled = true
}

答案1

得分: 2

要解决这个问题,请将以下 ENV 键/值添加到您的 Lambda 函数或应用程序环境中:

export AWS_STS_REGIONAL_ENDPOINTS='regional'

这将强制 AWS SDK 在调用 STS 时使用区域性而不是全局性的终端节点,具体文档可参考:https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

否则,Go SDK 将默认使用全局 sts 终端节点 https://sts.amazonaws.com,例如对于 eu-west-1 等地区(以下地区会发生这种情况:ap-northeast-1、ap-south-1、ap-southeast-1、ap-southeast-2、aws-global、ca-central-1、eu-central-1、eu-north-1、eu-west-1、eu-west-2、eu-west-3、sa-east-1、us-east-1、us-east-2、us-west-1 和 us-west-2)。

STS VPC 终端节点仅配置了区域性 URL,因此当程序尝试在私有子网中访问全局 URL 时,无法建立连接,而是超时。

英文:

To fix this problem, add the following ENV key/value to your lambda or application environment:

export AWS_STS_REGIONAL_ENDPOINTS='regional'

This forces the AWS SDK to use regional rather than global endpoints when calling STS as documented here: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

What happens otherwise is that the Go SDK will default to using the global sts endpoint https://sts.amazonaws.com for regions such as eu-west-1 (This happens in the following regions: ap-northeast-1, ap-south-1, ap-southeast-1, ap-southeast-2, aws-global, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, sa-east-1, us-east-1, us-east-2, us-west-1, and us-west-2)

The STS VPC Endpoint is configured only for regional URLs and so when the program tries to access a global URL in a private subnet, a connection can't be established and times out instead.

huangapple
  • 本文由 发表于 2022年2月25日 00:59:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/71255594.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定