amazon-web-services - CORS issues when calling AWS secrets manager from Lambda function
问题描述
I have an API written in python/chalice deployed as a Lambda which gets called from a web app. I thought I had the usual CORS issues fixed, at least, things are working with no problems and have done for a while. Being a good boy I decided it was time to move some hardcoded credentials out of the code into AWS Secrets Manager. Everything is still working well in my local environment (probably because both the API and app are on localhost) with the credentials correctly pulled out of Secrets Manager. However, when I deploy the API the web app is now a reporting CORS error:
Access to XMLHttpRequest at 'https://api' from origin 'https://webapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I've tracked the source of the problem down to my call to boto3.session.Session().client().get_secret_value(). If I don't make this call - no CORS errors.
Here's the relevant snippet of my API code:
@app.route('/get/table', methods=['GET'], cors=True)
def GetTable():
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name="eu-west-2"
)
get_secret_value_response = client.get_secret_value(SecretId="prod/xxxx")
So, what's going wrong? Am I missing something simple?
解决方案
I got there in the end. The root cause was not CORS but the fact that the Lambda uses a VPC. The fact that it was working locally (not sure how - perhaps something to do with the ssh tunnel I have set up for DB access) just added to the fog of confusion!
After much banging of my head on the keyboard this is what got it working:
- Setting up of a VPC endpoint for Secrets Manager for the VPC
- Adding an inbound rule to the VPC security group: All TCP for the security group (could perhaps be rationalised but I don't know what to)
- Modify the IAM permissions for the Lamdba role to add Secrets Manager.
-- edit
Oh, the fun continues. The above works well... until I deploy a new version of the Lambda with Chalice. It seems that, by default, Chalice is generating a new policy for every deploy and even though it looks correct in the IAM console (Secrets Manager policy present) it's not working!
I've had to copy the IAM policy summary from the role (when it's working) and create a new policy.json file in my local .chalice folder. When deploying, either specifying
chalice deploy --no-autogen-policy
or adding "autogen_policy": false
to .chalice/config.json seems to finally fix things.
推荐阅读
- c# - 查询同一服务器时多线程应用程序中的网络 IO 瓶颈
- php - 多个 .htaccess 文件
- c - gdb 给出与 iofwrite.c 相关的错误
- javascript - 从不同的文件导入函数到类
- c++ - Qt 如何删除 Clang 代码模型?
- python - 为什么 datetime.fromtimestamp(time / 1e3) 会导致 java.util.GregorianCalendar?
- bash - 如何将列中的日期转换为 bash 中的纪元时间戳?
- hibernate - 查找 hibernate 在哪里应用命名策略
- ruby - X509::Attribute#value 返回什么?
- vb.net - 查看对象时VS 2015 VB调试崩溃