AWS Lambda 将 RDS 快照导出到 S3 失败并出现 KMSKeyNotAccessibleFault - 权限问题

问题描述 投票:0回答:1

我有两个 AWS Lambda 函数,可以自动执行拍摄 Amazon RDS (Aurora) 快照并将其导出到 S3 存储桶进行冷存储的过程。第一个 Lambda 函数创建 RDS 快照并将事件发送到 AWS EventBridge。快照创建完成后,第二个 Lambda 函数由 EventBridge 规则触发,并将快照导出到 S3。然后,可以使用 S3 生命周期策略将导出的快照转换到 S3 Glacier 进行长期存储。

当第二个 Lambda 函数尝试将快照导出到 S3 时,我遇到 KMSKeyNotAccessibleFault 错误。

Lambda代码:

Python 中的第一个 Lambda 函数(创建快照):

import boto3
import json
from datetime import datetime, timedelta

rds_client = boto3.client('rds')
eventbridge_client = boto3.client('events')

def lambda_handler(event, context):
    db_cluster_identifier = 'staging-aurora'
    
    # Convert UTC to IST
    utc_time = datetime.utcnow()
    ist_time = utc_time + timedelta(hours=5, minutes=30)
    snapshot_identifier = f"cold-storage-snapshot-{ist_time.strftime('%Y-%m-%d-%H-%M-%S')}"
    
    try:
        # Create Aurora DB Cluster Snapshot
        create_snapshot_response = rds_client.create_db_cluster_snapshot(
            DBClusterSnapshotIdentifier=snapshot_identifier,
            DBClusterIdentifier=db_cluster_identifier
        )
        
        # Send snapshot identifier to EventBridge
        eventbridge_response = eventbridge_client.put_events(
            Entries=[
                {
                    'Source': 'my.rds.snapshot',
                    'DetailType': 'RDSSnapshotCreated',
                    'Detail': json.dumps({
                        'snapshot_identifier': snapshot_identifier,
                        'db_cluster_identifier': db_cluster_identifier
                    }),
                    'EventBusName': 'default'
                }
            ]
        )
        
        return {
            'statusCode': 200,
            'body': json.dumps({
                'message': f"Snapshot {snapshot_identifier} creation initiated and event sent to EventBridge.",
                'createSnapshotResponse': create_snapshot_response,
                'eventbridgeResponse': eventbridge_response
            })
        }
    except Exception as e:
        return {
            'statusCode': 500,
            'body': json.dumps({'message': str(e)})
        }

python 中的第二个 Lambda 函数(将快照导出到 S3):

import boto3
import json

rds_client = boto3.client('rds')

def lambda_handler(event, context):
    snapshot_identifier = event['detail']['SourceIdentifier']  # Snapshot ID from EventBridge
    s3_bucket_name = 'cold-storage-sample'
    kms_key_id = 'arn:aws:kms:ap-southeast-1:<account-id>:key/<key-id>'  # Placeholder for KMS Key ARN
    iam_role_arn = 'arn:aws:iam::<account-id>:role/RDS-Snapshot-Export-Role'  # Placeholder for IAM Role ARN

    try:
        # Export Snapshot to S3
        export_task_response = rds_client.start_export_task(
            ExportTaskIdentifier=f"export-task-{snapshot_identifier}",
            SourceArn=f"arn:aws:rds:ap-southeast-1:<account-id>:cluster-snapshot:{snapshot_identifier}",
            S3BucketName=s3_bucket_name,
            IamRoleArn=iam_role_arn,
            KmsKeyId=kms_key_id
        )
        
        return {
            'statusCode': 200,
            'body': json.dumps({
                'message': f"Export task started for snapshot {snapshot_identifier}.",
                'exportTaskResponse': export_task_response
            })
        }
    except Exception as e:
        return {
            'statusCode': 500,
            'body': json.dumps({
                'message': f"Error in exporting snapshot to S3: {str(e)}"
            })
        }

问题:

当我触发第二个 Lambda 函数(将 RDS 快照导出到 S3)时,我始终收到以下错误:

{
  "statusCode": 500,
  "body": "{\"message\": \"Error in exporting snapshot to S3: An error occurred (KMSKeyNotAccessibleFault) when calling the StartExportTask operation: The specified KMS key [arn:aws:kms:ap-southeast-1:<account-id>:key/<key-id>] does not exist, is not enabled or you do not have permissions to access it.\"}"
}

到目前为止我检查过的内容:

  1. KMS 密钥状态:

    • KMS 密钥处于 

      Enabled
      状态。

    • 我已验证 Lambda 函数中使用了正确的 ARN (

      arn:aws:kms:ap-southeast-1:<account-id>:key/<key-id>
      )。

  2. Lambda 的 IAM 角色策略 (

    RDS-Snapshot-Export-Role
    ):

    • 我已将以下策略附加到 Lambda 的 IAM 角色:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:StartExportTask",
        "rds:DescribeExportTasks",
        "rds:ListTagsForResource"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:ap-southeast-1:<account-id>:key/<key-id>"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::cold-storage-sample",
        "arn:aws:s3:::cold-storage-sample/*"
      ]
    }
  ]
}

  3. KMS 密钥策略:

    • 我还更新了 KMS 密钥策略以允许访问 Lambda 的 IAM 角色:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow Full Access to Lambda Role",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/RDS-Snapshot-Export-Role"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:ap-southeast-1:<account-id>:key/<key-id>"
    }
  ]
}

  4. 区域一致性:

    • Lambda 函数、KMS 密钥、S3 存储桶和 RDS 快照都位于同一区域:
      ap-southeast-1

问题:

尽管遵循了文档并确保 KMS 密钥和 IAM 角色权限正确,但我仍然收到 

KMSKeyNotAccessibleFault
错误。我是否可能缺少与权限或配置相关的特定内容?我该如何进一步调试或解决这个问题?

任何帮助或见解将不胜感激!

amazon-web-services amazon-s3 aws-lambda amazon-rds amazon-kms
1个回答
0
投票

看起来您缺少 KMS 密钥策略中的 

kms:CreateGrant
,您应该允许服务主体执行这些操作 
export.rds.amazonaws.com
。 您可以查看 db 集群快照导出文档Aurora 文档的加密密钥了解更多详细信息,但要点如下:

  1. 创建对称加密 AWS KMS 密钥
  2. KMS 密钥策略 
    must include
    kms:CreateGrant
    kms:DescribeKey
    权限
  3. 如果您的 KMS 密钥策略中有 
    deny
    语句,请确保显式排除 AWS 服务主体 
    export.rds.amazonaws.com
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.