我有这样的配置:
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName:
Fn::Join:
- '-'
- - Ref: AWS::StackName
- ${self:custom.stage}
- sg
GroupDescription: Allow all traffic on ports 5432
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
CidrIp: 0.0.0.0/0
RDSDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: postgres
EngineVersion: "15.5"
MasterUsername: !Join ["", ["{{resolve:secretsmanager:", !Ref ProxySecret, ":SecretString:username}}"]]
MasterUserPassword: !Join ["", ["{{resolve:secretsmanager:", !Ref ProxySecret, ":SecretString:password}}"]]
VPCSecurityGroups:
- Fn::GetAtt: [ SecurityGroup, GroupId ]
DBProxy:
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: rdsproxy
RoleArn: !GetAtt [ RDSProxyRole, Arn ]
DebugLogging: true
RequireTLS: true
Auth: [ {AuthScheme: SECRETS, SecretArn: !Ref ProxySecret} ]
EngineFamily: POSTGRESQL
VpcSecurityGroupIds: [!GetAtt [ SecurityGroup, GroupId ]]
VpcSubnetIds:
- ${env:SUBNET_ID_1}
- ${env:SUBNET_ID_2}
ProxyTargetGroup:
Type: AWS::RDS::DBProxyTargetGroup
Properties:
DBProxyName: !Ref DBProxy
DBInstanceIdentifiers: [!Ref RDSDBInstance]
TargetGroupName: default
ConnectionPoolConfigurationInfo:
MaxConnectionsPercent: 100
MaxIdleConnectionsPercent: 50
ConnectionBorrowTimeout: 120
ProxySecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: ProxySecret
GenerateSecretString:
SecretStringTemplate: '{"username": "masterpassword"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludePunctuation: true
RDSProxyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "rds.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "RDSProxyPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "secretsmanager:*"
Resource: "*"
在我的 lambda 函数中,我授予它权限,以便它可以连接到 rds-proxy。
iam:
role:
statements:
- Effect: "Allow"
Action:
- rds-db:connect
Resource: '*'
- Effect: "Allow"
Action:
- secretsmanager:*
Resource: "*"
但是当运行与 apigateway 集成的 lambda 时,我遇到超时。此外,aws 控制台还向我显示消息:函数执行角色:arn:aws:iam::#####:role/proyect-lambdaRole 没有 RDS 代理的权限。
检查附加到 lambda 的策略是否指向正确的 ARN。