Amazon web services 无法从VPC中的Lambda连接到AWS密钥空间
我已经按照说明创建了我认为使用Terraform需要的基础设施。但是,我在尝试连接时遇到以下错误:Amazon web services 无法从VPC中的Lambda连接到AWS密钥空间,amazon-web-services,terraform,terraform-provider-aws,amazon-keyspaces,Amazon Web Services,Terraform,Terraform Provider Aws,Amazon Keyspaces,我已经按照说明创建了我认为使用Terraform需要的基础设施。但是,我在尝试连接时遇到以下错误: { "errorType": "AggregateException", "errorMessage": "One or more errors occurred. (All hosts tried for query failed (tried 172.31.41.121:9142: AuthenticationExc
{
"errorType": "AggregateException",
"errorMessage": "One or more errors occurred. (All hosts tried for query failed (tried 172.31.41.121:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'; 172.31.18.20:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'))",
"stackTrace": [
"at lambda_method(Closure , Stream , Stream , LambdaContextInternal )"
],
"cause": {
"errorType": "NoHostAvailableException",
"errorMessage": "All hosts tried for query failed (tried 172.31.41.121:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'; 172.31.18.20:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.')",
"stackTrace": [
"at Cassandra.Connections.Control.ControlConnection.Connect(Boolean isInitializing)",
"at Cassandra.Connections.Control.ControlConnection.InitAsync()",
"at Cassandra.Tasks.TaskHelper.WaitToCompleteAsync(Task task, Int32 timeout)",
"at Cassandra.Cluster.Init()",
"at Cassandra.Cluster.ConnectAsync(String keyspace)"
]
},
"causes": [
{
"errorType": "NoHostAvailableException",
"errorMessage": "All hosts tried for query failed (tried 172.31.41.121:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'; 172.31.18.20:9142: AuthenticationException 'The remote certificate is invalid according to the validation procedure.')",
"stackTrace": [
"at Cassandra.Connections.Control.ControlConnection.Connect(Boolean isInitializing)",
"at Cassandra.Connections.Control.ControlConnection.InitAsync()",
"at Cassandra.Tasks.TaskHelper.WaitToCompleteAsync(Task task, Int32 timeout)",
"at Cassandra.Cluster.Init()",
"at Cassandra.Cluster.ConnectAsync(String keyspace)"
]
}
]
}
aws_vpc_endpoint_服务#要从VPC访问密钥空间的资源的安全组
资源“aws\U安全\U组”“密钥空间\U端点\U vpc\U访问”{
name=“keyspaces端点访问”
vpc_id=aws_default_vpc.default.id
}
资源“aws\u安全\u组”“密钥空间\u终结点”{
name=“keyspace端点”
vpc_id=aws_default_vpc.default.id
入口{
从_端口=9142
至_端口=9142
协议=“tcp”
安全性组=[aws\U安全性组.keyspace\U端点\U vpc\U访问.id]
}
}
数据“aws_vpc_端点_服务”“密钥空间”{
service=“cassandra”
}
资源“aws_vpc_端点”“键空间_端点”{
vpc_id=aws_default_vpc.default.id
vpc_endpoint_type=“接口”
service_name=data.aws_vpc_endpoint_service.keyspace.service_name
security\u group\u id=[aws\u security\u group.keyspace\u endpoint.id]
私有\u dns\u已启用=真
子网\u ID=[
data.aws_subnet.selected.id,
aws_默认_subnet.subnet_a.id,
aws\u默认\u子网.subnet\u b.id
]
policy=问题在于Lambda代码中的SSL配置
调用SetHostNameResolver
非常重要,但显然只有在VPC内部时:
让我们来看看这些选项=
发展
.SetCertificateCollection(certCollection)
.SetHostNameResolver(趣味->sprintf“cassandra.%s.amazonaws.com”区域)
问题在于Lambda代码中的SSL配置
调用SetHostNameResolver
非常重要,但显然只有在VPC内部时:
让我们来看看这些选项=
发展
.SetCertificateCollection(certCollection)
.SetHostNameResolver(趣味->sprintf“cassandra.%s.amazonaws.com”区域)
尝试使用Amazon CA根证书的DER格式。或者使用opensslopenssl x509-outform DER-in-AWSCA.pem-out-your-cert.crt
将pem转换为crt,或者从此处下载DER格式证书。别忘了用新的证书格式更新函数代码。:-键空间\端点\ vpc\访问安全组未列出任何明确的出口
规则。Terraform是否为其提供默认的“所有出站”访问权限?(部署后,您可以查看安全组进行检查。)@JohnRotenstein似乎没有什么不同。@SRATH我尝试过使用.cer
,但使用Amazon CA根证书的DER格式时遇到了相同的错误。请使用opensslopenssl x509-outform DER-in AWSCA.pem-out-your-cert.crt
将pem转换为crt,或者从这里下载DER格式的证书..不要不要忘记用新的证书格式更新功能代码。:-keyspaces\u endpoint\u vpc\u access
安全组未列出任何明确的出口
规则。Terraform是否为其提供默认的“所有出站”访问权限?(部署后,您可以查看安全组进行检查。)@约翰罗滕斯坦似乎没有什么不同。@SRATH我尝试过使用.cer
,但我得到了相同的错误