问题描述
我是AWS的新手。我正在尝试为AWS Redshift建立我的lambda函数,以便可以查询数据库。我已将凭据存储在密钥管理器中。
我了解到,密钥管理器已提供了示例代码来检索应用程序中的服务。但是,我不知道在复制lambda函数中的代码后如何进行操作。
handler.py
# Use this code snippet in your app.
# If you need more information about configurations or implementing the sample code,visit the AWS docs:
# https://aws.amazon.com/developers/getting-started/python/
import boto3
import base64
from botocore.exceptions import ClientError
def get_secret():
secret_name = "mykeyname"
region_name = "myregionname"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',region_name=region_name
)
# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here,and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here,and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here,and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here,and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here,and/or rethrow at your discretion.
raise e
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary,one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])
# Your code goes here.
如何检查连接是否建立以及如何从redshift查询?
我了解我们需要在代码中包含lambda_handler(event,context)。
解决方法
有两种方法可以在Amazon Redshift中运行查询。
SQL客户端
Amazon Redshift基于PostgreSQL。因此,您可以使用任何知道如何与PostgreSQL通讯的 SQL客户端。
对于Python,一个流行的选择是使用Psycopg – PostgreSQL database adapter for Python。
要进行连接,您需要提供端点,用户名和密码。确保Redshift数据库上的安全组允许来自与AWS Lambda函数关联的安全组的访问。
Redshift Data API
通过 Data API 连接到Redshift的新方法可以避免使用SQL客户端。
它使用IAM凭据,因此您实际上不需要存储在Secrets Manager中的该密码。另外,它不需要与Redshift数据库连接到同一VPC。
坦率地说,这听起来是一种更好的连接方式。 (我还没有尝试过。)