英文:
Request times out when try to assume a role with AWS sts from a private subnet using a VPC Endpoint
问题
当我在运行在VPC的私有子网上的Lambda函数中调用AWS sts来扮演一个角色时,我遇到了超时的问题。
我的设置如下:
- 我在VPC中运行一个附加到私有子网和安全组的Lambda函数
- 由于子网是私有的,我已经配置了一个VPC终端节点来访问
com.amazonaws.eu-west-1.sts上的STS。 - 我的Lambda函数是用旧版的
sdk-for-gov1 API编写的,文档链接:https://docs.aws.amazon.com/sdk-for-go/api/ - 我还配置了一个VPC终端节点来访问S3,没有任何问题。
我的VPC终端节点的Terraform配置如下:
resource "aws_vpc_endpoint" "xxxx-sts" {
vpc_id = aws_vpc.xxxx.id
service_name = "com.amazonaws.eu-west-1.sts"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.xxxx.id]
subnet_ids = [aws_subnet.xxxx.id]
private_dns_enabled = true
}
请注意,以上是您要翻译的内容。
英文:
When I'm calling AWS sts to assume a role in a lambda function running in a private subnet on a VPC with an Endpoint configured for STS. However, my request times out.
My setup is as follows:
- I run a lambda attached to a private subnet and security group in a VPC
- Because the subnet is private, I've configured a VPC Endpoint to access STS on
com.amazonaws.eu-west-1.sts - My lambda is written in golang using the older
sdk-for-gov1 api: https://docs.aws.amazon.com/sdk-for-go/api/ - I've also configered a VPC Endpoint to access S3 which works without problems
My terraform configuration for the VPC endpoint is:
resource "aws_vpc_endpoint" "xxxx-sts" {
vpc_id = aws_vpc.xxxx.id
service_name = "com.amazonaws.eu-west-1.sts"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.xxxx.id]
subnet_ids = [aws_subnet.xxxx.id]
private_dns_enabled = true
}
答案1
得分: 2
要解决这个问题,请将以下 ENV 键/值添加到您的 Lambda 函数或应用程序环境中:
export AWS_STS_REGIONAL_ENDPOINTS='regional'
这将强制 AWS SDK 在调用 STS 时使用区域性而不是全局性的终端节点,具体文档可参考:https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
否则,Go SDK 将默认使用全局 sts 终端节点 https://sts.amazonaws.com,例如对于 eu-west-1 等地区(以下地区会发生这种情况:ap-northeast-1、ap-south-1、ap-southeast-1、ap-southeast-2、aws-global、ca-central-1、eu-central-1、eu-north-1、eu-west-1、eu-west-2、eu-west-3、sa-east-1、us-east-1、us-east-2、us-west-1 和 us-west-2)。
STS VPC 终端节点仅配置了区域性 URL,因此当程序尝试在私有子网中访问全局 URL 时,无法建立连接,而是超时。
英文:
To fix this problem, add the following ENV key/value to your lambda or application environment:
export AWS_STS_REGIONAL_ENDPOINTS='regional'
This forces the AWS SDK to use regional rather than global endpoints when calling STS as documented here: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
What happens otherwise is that the Go SDK will default to using the global sts endpoint https://sts.amazonaws.com for regions such as eu-west-1 (This happens in the following regions: ap-northeast-1, ap-south-1, ap-southeast-1, ap-southeast-2, aws-global, ca-central-1, eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3, sa-east-1, us-east-1, us-east-2, us-west-1, and us-west-2)
The STS VPC Endpoint is configured only for regional URLs and so when the program tries to access a global URL in a private subnet, a connection can't be established and times out instead.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论