AWS Lambda函数未从ENV变量获取凭据(安全令牌无效)

Question

我有一个用Ruby语言编写的小的lambda函数，它在亚马逊网络服务上工作，但在本地显示ERROR: The security token included in the request is invalid。

此函数的目的是从DynamoDB表中读取内容。以下是该函数的重要部分：

require 'json'
require 'aws-sdk-dynamodb'

def lambda_handler(event:, context:)
  p 'AWS_ACCESS_KEY_ID: ' + ENV['AWS_ACCESS_KEY_ID']
  p 'AWS_SECRET_ACCESS_KEY: ' + ENV['AWS_SECRET_ACCESS_KEY']

  dynamodb = Aws::DynamoDB::Client.new(region: 'eu-north-1')

  ...

  dynamodb.get_item(payload).item

  ...
end

当我尝试使用sam local start-api在本地调用该函数时，我得到的结果是：

START RequestId: 56d1c0f0-cad8-45b8-9a95-344c06f0aea4 Version: $LATEST
"AWS_ACCESS_KEY_ID: AKI**************TPW"
"AWS_SECRET_ACCESS_KEY: 1ew****************************AAn"
Error raised from handler method
{
  "errorMessage": "The security token included in the request is invalid",
  "errorType": "Function<Aws::DynamoDB::Errors::UnrecognizedClientException>",
  "stackTrace": [
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call'",
    "/var/runtime/gems/aws-sdk-dynamodb-1.63.0/lib/aws-sdk-dynamodb/plugins/simple_attributes.rb:119:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.121.0/lib/seahorse/client/request.rb:72:in `send_request'",
    "/var/runtime/gems/aws-sdk-dynamodb-1.63.0/lib/aws-sdk-dynamodb/client.rb:3314:in `get_item'",
    "/var/task/units.rb:29:in `unit'"
  ]
}
END RequestId: 56d1c0f0-cad8-45b8-9a95-344c06f0aea4
REPORT RequestId: 56d1c0f0-cad8-45b8-9a95-344c06f0aea4  Init Duration: 0.06 ms  Duration: 685.33 ms Billed Duration: 700 ms Memory Size: 128 MB Max Memory Used: 128 MB 
Lambda returned empty body!

正如您所看到的，ENV变量被正确设置，因为它们被打印到控制台。

根据documentation的说法，设置这两个ENV变量应该足够了，但是看起来我遗漏了一些东西。

当我将实例化从

dynamodb = Aws::DynamoDB::Client.new(region: 'eu-north-1')

至

dynamodb = Aws::DynamoDB::Client.new(region: 'eu-north-1', credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']))

然后，突然之间，lambda函数连接到DynamoDB就没有问题了。

如何让函数在本地连接到DynamoDB？假设我不想显式传递:credentials，因为这会破坏亚马逊网络服务上的函数(因为在亚马逊网络服务上，它使用AmazonDynamoDBFullAccess策略连接到dynamodb )

Answer 1

为什么你要通过你的申请通过AK/SK？SAM使用您的AWS Cli配置来连接到DynamoDB。因此，通常情况下，如果本地AK/SK有效，并且您具有访问DynamoDB表的正确IAM角色，则您的应用程序应该能够连接到DynamoDB。另一方面，在亚马逊网络服务上，lambda需要具有DynamoDB访问权限的IAM角色，因此不需要使用AK/SK作为环境变量。