问题描述
我有一个应该写入Firehose的AWS Lambda函数。但是,当我创建PutRecordBatchRequest时,它将超时并且无法写入Firehose。
该功能在VPC中。我为lambda的角色附加了一条策略以允许访问:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"firehose:*"
],"Resource": [
"${aws_kinesis_firehose_delivery_stream.my_firehose.arn}"
]
}
]
}
注意,我正在使用terraform,因此非常感谢HCL中的解决方案。
如何使它正常工作?
解决方法
您需要添加一个aws_vpc_endpoint。
这允许VPC内部的lambda与VPC外部的AWS服务进行通信。参见https://docs.aws.amazon.com/firehose/latest/dev/vpc.html。
resource "aws_security_group" "firehose_endpoint" {
name = "firehose-endpoint"
vpc_id = aws_default_vpc.default.id
}
resource "aws_vpc_endpoint" "firehose_endpoint" {
vpc_id = aws_default_vpc.default.id
vpc_endpoint_type = "Interface"
service_name = "com.amazonaws.eu-west-2.kinesis-firehose"
security_group_ids = [ aws_security_group.firehose_endpoint.id ]
private_dns_enabled = true
subnet_ids = [
aws_default_subnet.subnet_a.id,aws_default_subnet.subnet_b.id
]
policy = <<EOF
{
"Statement": [
{
"Sid": "Firehose-full-access","Principal": "*","Action": "firehose:*","Effect": "Allow","Resource": "*"
}
]
}
EOF
}
您当然需要定制策略,子网等。
,您需要按照建议设置互联网访问权限,或者按照https://docs.aws.amazon.com/firehose/latest/dev/vpc.html
设置AWS Privatelink。