python - 在容器化的 lambda 函数中使用 lambda python 运行时时,Boto3 无法找到资源
问题描述
当我尝试通过 boto3 从 AWS 访问资源时(例如来自秘密管理器的秘密),当我使用 python lambda 运行时 (public.ecr.aws/lambda/python3.8) 时出现错误。我使用 SAM CLI 来部署我的功能。
这是我的模板文件
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Ask-Waldo-Master-Data-Sam
Globals:
Function:
Timeout: 10
Tracing: Active
Environment:
Variables:
POWERTOOLS_METRICS_NAMESPACE: "ask-waldo"
POWERTOOLS_SERVICE_NAME: "ask-waldo-master-service"
LOG_LEVEL: DEBUG
STAGE: DEVELOPMENT
Api:
TracingEnabled: true
Resources:
MasterDataService:
Type: AWS::Serverless::Function
Properties:
PackageType: Image
ImageConfig:
Command: ["askwaldo_master_data.app.lambda_handler"]
MemorySize: 4096
Events:
ApiEvent:
Properties:
RestApiId:
Ref: AskWaldoMasterDataService
Path: /{proxy+}
Method: ANY
Type: Api
FunctionName: AskWaldoMasterDataService
CodeUri: ./src
Timeout: 300 # timeout of your lambda function
MemorySize: 128 # memory size of your lambda function
Description: Ask-Waldo Master data API serverless service
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
-
PolicyName: 'ParameterStoreParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/parameterStoreBlog*'
Metadata:
Dockerfile: Dockerfile
DockerContext: ./src
DockerTag: v1
AskWaldoMasterDataService:
Type: AWS::Serverless::Api
Properties:
StageName: prod
OpenApiVersion: '3.0.0'
LambdaFunctionLogGroup:
Type: "AWS::Logs::LogGroup"
DependsOn: "MasterDataService"
Properties:
RetentionInDays: 30
LogGroupName: !Join ["", ["/aws/lambda/", !Ref MasterDataService]]
这是我的 Dockerfile:
ARG FUNCTION_DIR="/var/task/"
ARG APP_DIR="${FUNCTION_DIR}/askwaldo_master_data"
ARG RUNTIME_VERSION="3.8"
ARG DISTRO_VERSION="3.12"
# Stage 2 - build function and dependencies
FROM python:${RUNTIME_VERSION} AS build-image
ARG FUNCTION_DIR
ARG RUNTIME_VERSION
ARG APP_DIR
# Create function directory
RUN mkdir -p ${FUNCTION_DIR}
RUN mkdir -p ${APP_DIR}
# Copy requirements
COPY askwaldo_master_data/requirements.txt ${APP_DIR}
# Optional – Install the function's dependencies
RUN pip install -r ${APP_DIR}/requirements.txt --target ${FUNCTION_DIR}
COPY askwaldo_master_data ${APP_DIR}
# Stage 3 - final runtime image
# Grab a fresh copy of the Python image
FROM public.ecr.aws/lambda/python:${RUNTIME_VERSION}
# Include global arg in this stage of the build
ARG FUNCTION_DIR
# Set working directory to function root directory
WORKDIR ${FUNCTION_DIR}
# Copy in the built dependencies
COPY --from=build-image ${FUNCTION_DIR} ${FUNCTION_DIR}
CMD ["askwaldo_master_data.app.lambda_handler"]
当我在没有 lambda 的情况下在本地运行代码时,我没有收到任何错误。此外,当我在正常的 python 环境(而不是 aws 运行时)中运行代码时,我没有收到任何错误。只有当我尝试使用 AWS 的 lambda 环境时,通过 sam cli 启动本地 api 时才会收到以下错误:Secrets Manager 找不到指定的密钥。
[WARNING] 2021-09-24T08:53:20.615Z Subsegment secretsmanager discarded due to Lambda worker still initializing
[WARNING] 2021-09-24T08:53:20.828Z No subsegment to end.
有人可以帮我弄清楚为什么 boto3 在容器中执行时无法访问资源吗?