问题描述
使用boto3从Chalice部署的Lambda启动EC2实例时遇到问题。
相关代码是这样:
resource = boto3.resource('ec2')
instance = resource.Instance(params['instance_id'])
if params['action'] == 'run':
try:
response = instance.start()
except BaseException as be:
logging.exception("Error: Failed to start instance" + str(be) )
raise ChaliceViewError("Internal error at server side")
else:
try:
response = instance.stop(Force=True)
except BaseException as be:
logging.exception("Error: Failed to stop instance" + str(be) )
raise ChaliceViewError("Internal error at server side")
请求似乎成功。例如,在2种情况下,将“ start()”方法称为boto3响应是:
{"Status":{"StartingInstances":[{"CurrentState":{"Code":0,"Name":"pending"},"InstanceId":"i-0129bb4079559e5bc","PrevIoUsstate":{"Code":80,"Name":"stopped"}}],"ResponseMetadata":{"RequestId":"d88a9fbc-f2f2-4c51-9629-30a63c7e753b","HTTPStatusCode":200,"HTTPHeaders":{"x-amzn-requestid":"d88a9fbc-f2f2-4c51-9629-30a63c7e753b","content-type":"text/xml;charset=UTF-8","content-length":"579","date":"Wed,23 Sep 2020 16:59:40 GMT","server":"AmazonEC2"},"RetryAttempts":0}}}
另一个响应是这样的:
{"Status":{"StartingInstances":[{"CurrentState":{"Code":0,"ResponseMetadata":{"RequestId":"2bde553a-87f1-4fe0-a13a-8b4db4c0dbbc","HTTPHeaders":{"x-amzn-requestid":"2bde553a-87f1-4fe0-a13a-8b4db4c0dbbc",23 Sep 2020 17:07:58 GMT","RetryAttempts":0}}}
但是,在两种情况下,实例均未启动,但AWS控制台中的实例状态保持为“已停止”。
当我在python控制台中尝试相同的代码段时,它起作用了,实例成功启动:
>>> import boto3
>>> resource = boto3.resource('ec2')
>>> instance = resource.Instance('i-0129bb4079559e5bc')
>>> response = instance.start()
>>> response
{'StartingInstances': [{'CurrentState': {'Code': 0,'Name': 'pending'},'InstanceId': 'i-0129bb4079559e5bc','PrevIoUsstate': {'Code': 80,'Name': 'stopped'}}],'ResponseMetadata': {'RequestId': '535224cc-21d8-45fa-a4a2-0ac984cdfe9a','HTTPStatusCode': 200,'HTTPHeaders': {'x-amzn-requestid': '535224cc-21d8-45fa-a4a2-0ac984cdfe9a','content-type': 'text/xml;charset=UTF-8','content-length': '579','date': 'Wed,23 Sep 2020 17:05:10 GMT','server': 'AmazonEC2'},'RetryAttempts': 0}}
有人以前见过这种行为吗?有什么明显的我想念的东西吗?
解决方法
这个问题我最终获得了AWS支持。
我尝试启动的计算机已从另一个AWS帐户迁移,并使用KMS密钥对其后备EBS卷进行了加密。 Lambda执行角色需要访问权限才能使用KMS密钥才能启动EC2实例。
在AWS技术的建议下,我将此声明添加到了KMS密钥策略中:
{
"Sid": "Allow Lambda role use of the CMK","Effect": "Allow","Principal": {
"AWS": [
"<REPLACE WITH LAMBDA-EXECUTION-ROLE-ARN>"
]
},"Action": [
"kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey","kms:CreateGrant"
],"Resource": "*"
}
完成后,实例将成功启动。
我有一个悬而未决的问题(如果收到此问题,我将更新此答案)是为什么如果Lambda没有权限,boto3启动操作会返回成功。