本文共 18028 字,大约阅读时间需要 60 分钟。
aws lambda
by Janaka Bandara
通过Janaka Bandara
Computing! It sure has a very long, vivid (and sometimes awkward) history. Some key milestones include:
计算! 它肯定有很长的,生动的(有时是尴尬的)历史。 一些关键的里程碑包括:
The Egyptians, who to ease up a bit on their brains (and over tons of solid granite)
埃及人以减轻大脑的 ,大量的固体花岗岩 )
The Greeks and their that could track the movement of planets to .
希腊人及其可以追踪行星的运动, 为 。
Charles Babbage’s .
查尔斯·巴贝奇 Charles Babbage)的 。
Alan Turing’s .
艾伦·图灵(Alan Turing)的 。
NASA’s .
美国宇航局的 。
Deep Blue Garry Kasparov, the Chess Grandmaster.
深蓝国际象棋大师加里·卡斯帕罗夫(Garry Kasparov)。
In line with all this, software application paradigms also have shifted dramatically. Starting from pure hardware-based programming, to monoliths, modularity, SOA, cloud, and now… serverless.
与此相一致,软件应用程序范例也发生了巨大变化。 从纯粹的基于硬件的编程开始,到整体式,模块化,SOA,云,现在…… 无服务器 。
At this point in time, “serverless” generally means FaaS (functions-as-a-service). And FaaS literally means , both from points of view.
此时,“无服务器”通常表示FaaS(功能即服务)。 从角度来看,FaaS的字面意思是 。
Hence, it is not an exaggeration to claim that the popularity of serverless development may be related to the ease of use of Lambdas. Or is it?
因此,毫不夸张地说,无服务器开发的普及可能与Lambda的易用性有关。 还是?
Well, Lambda has been around . It is already integrated into much of the AWS ecosystem, and is in production use at hundreds (if not thousands) of companies. So, Lambda should be pretty intuitive and easy to use, right?
好吧,Lambda 一直存在。 它已经集成到许多AWS生态系统中,并已在数百个(如果不是数千个)公司中投入生产。 因此,Lambda应该非常直观且易于使用,对吗?
Well, in my case, it seemed not.
好吧,就我而言,似乎并非如此。
And since “my case” was one of the official AWS examples, I’m not quite convinced Lambda is friendly enough for newbies to the picture.
而且由于“我的案子”是AWS的官方示例之一,所以我不太相信Lambda对于新手来说足够友好。
For a start, I wanted to implement AWS’s own without following , to see how far I could get.
首先,我想实现AWS自己的 而不遵循 ,以了解我能走多远。
As a programmer, I naturally started with the . The code had by the generous AWS devs, so why reinvent the wheel? Copy, paste, save, run. Ta-da!
作为程序员,我自然而然地开始使用 。 该代码由慷慨的AWS开发人员 ,那么为什么要重新发明轮子呢? 复制,粘贴,保存,运行。 -
Hmm, looks like I need to grow up a bit.
嗯,看来我需要长大一点。
The was eye-catching, with so many ready-made blueprints. Too bad it didn’t already have the S3 thumbnail generation example, or this story could have ended right here!
引人注目,其中包含许多现成的蓝图。 太糟糕了,它还没有S3缩略图生成示例,否则这个故事可能就此结束!
So I just went ahead with the “Author from scratch” option, using the name s3-thumbnail-generator.
因此,我只是使用名称s3-thumbnail-generator进行了“从头开始创作”选项。
Oh wait, what’s this “Role” thing? It’s required, too. Luckily, it has a “Create new role from template(s)” option, which would save my day.
哦,等等,这是什么“角色”? 这也是必需的。 幸运的是,它具有“从模板创建新角色”选项,这可以节省我的时间。
Take it easy. “Role name”: s3-thumbnail-generator-role. But how about the "policy template"?
别紧张。 “角色名称”: s3-thumbnail-generator-role 。 但是“策略模板”呢?
Perhaps I should find something S3-related, since my Lambda is all-S3.
也许我应该找到与S3有关的东西,因为我的Lambda是全S3。
Surprise! The only thing I get when I search for S3, is “S3 object read-only permissions”. Having no other option, I just snatched it. Let’s see how far I can get before I fall flat on my face!
惊喜! 当我搜索S3时,唯一得到的是“ S3对象只读权限”。 没有其他选择,我只是抢夺了它。 让我们看看我能跌倒之前能走多远!
Time to hit “Create function”.
是时候点击“创建功能”了。
Wow, their Lambda designer looks really cool!
哇,他们的Lambda设计师真的很棒!
“Congratulations! Your Lambda function “s3-thumbnail-generator” has been successfully created. You can now change its code and configuration. Click on the “Test” button to input a test event when you are ready to test your function.”
“恭喜! 您的Lambda函数“ s3-thumbnail-generator”已成功创建。 现在,您可以更改其代码和配置。 准备测试功能时,单击“测试”按钮以输入测试事件。”
Okay, time for my copy-paste mission. “Copy” on the , Ctrl+A and Ctrl+V on the Lambda code editor. Simple!
好吧,我该执行复制粘贴任务了。 在上“复制”,在Lambda代码编辑器上Ctrl+A和Ctrl+V 简单!
All green (no reds). Good to know.
全部为绿色(无红色)。 很高兴知道。
“Save”, and “Test”.
“保存”和“测试”。
Oh, I should have known better. Yup, if I am going to “Test”, I need a “Test input”. Obviously.
哦,我应该知道得更多。 是的,如果我要进行“测试”,则需要“测试输入”。 明显。
I knew that testing my brand-new Lambda would not be as easy as that. But I didn’t expect having to put together a JSON-serialized event by hand.
我知道测试我的全新Lambda并不那么容易。 但是我没想到必须手动将JSON序列化的事件放在一起。
Thankfully, the AWS devs had done a great job here as well, providing a ready-made “S3 Put” event template. So what else would I select?
值得庆幸的是,AWS开发人员在这里也做了出色的工作,提供了现成的“ S3 Put”事件模板。 那我还要选择什么呢?
As expected, the first run was a failure:
不出所料,第一次运行失败:
{ "errorMessage": "Cannot find module 'async'", "errorType": "Error", "stackTrace": [ "Function.Module._load (module.js:417:25)", "Module.require (module.js:497:17)", "require (internal/module.js:20:19)", "Object. (/var/task/index.js:2:13)", "Module._compile (module.js:570:32)", "Object.Module._extensions..js (module.js:579:10)", "Module.load (module.js:487:32)", "tryModuleLoad (module.js:446:12)", "Function.Module._load (module.js:438:3)" ]} Damn, I should have noticed those require lines.
该死的,我应该注意到那些require线。
And, either way, it's my bad. The page where I copied the sample code had a big fat title "Create a Lambda Deployment Package", and clearly explained how to bundle the sample into a Lambda-deployable zip.
而且,无论哪种方式,这都是我的坏事。 我在其中复制了示例代码的页面上有一个粗大的标题“创建Lambda 部署程序包 ”,并清楚地说明了如何将示例捆绑到Lambda可部署的zip中。
So, I created a local directory containing my code, and the package.json, and ran an npm install (good thing I had node and npm preinstalled!).
因此,我创建了一个包含我的代码和package.json的本地目录,并运行了npm install (好东西,我已经预安装了node和npm !)。
Building, zipping and uploading the application was fairly easy, and hopefully I would not have to go through a zillion and one such cycles to get my Lambda working.
构建,压缩和上载该应用程序非常容易,希望我不必经历数不胜数的工作,就可以使Lambda正常工作。
(BTW, I wish I could do this in their built-in editor itself. Too bad I could not figure out a way to add the dependencies.)
(顺便说一句,我希望我可以在他们的内置编辑器中进行此操作。很遗憾,我无法找到添加依赖项的方法。)
Anyway, time is ripe for my second test.
无论如何,我第二次考试的时机已经成熟。
{ "errorMessage": "Cannot find module '/var/task/index'", "errorType": "Error", "stackTrace": [ "Function.Module._load (module.js:417:25)", "Module.require (module.js:497:17)", "require (internal/module.js:20:19)" ]} index? Where did that come from?
index ? 那个是从哪里来的?
Wait… my bad, my bad.
等等...我的坏,我的坏。
Seems like the Handler parameter still holds the default value index.handler. In my case it should be CreateThumbnail.handler (filename.method).
似乎Handler参数仍保留默认值index.handler 。 就我而言,它应该是CreateThumbnail.handler ( filename.method )。
Let’s give it another try.
让我们再试一次。
Seriously? No way!
认真吗 没门!
Ah, yes. The logs don’t lie.
是的。 日志不会说谎。
2018-02-04T17:00:37.060Z ea9f8010-09cc-11e8-b91c-53f9f669b596 Unable to resize sourcebucket/HappyFace.jpg and upload to sourcebucketresized/resized-HappyFace.jpg due to an error: AccessDenied: Access DeniedEND RequestId: ea9f8010-09cc-11e8-b91c-53f9f669b596
Fair enough. I don’t have sourcebucket or sourcebucketresized, but probably someone else does. Hence the access denial. Makes sense.
很公平。 我没有sourcebucket或sourcebucketresized ,但可能其他人有。 因此,拒绝访问。 说得通。
So I created my own buckets, s3-thumb-input and s3-thumb-inputresized, edited my event input (thanks to the "Configure test event" drop-down) and tried again.
因此,我创建了自己的存储桶s3-thumb-input和s3-thumb-inputresized ,编辑了事件输入(由于“ Configure test event”下拉菜单),然后再次尝试。
2018-02-04T17:06:26.698Z bbf940c2-09cd-11e8-b0c7-f750301eb569 Unable to resize s3-thumb-input/HappyFace.jpg and upload to s3-thumb-inputresized/resized-HappyFace.jpg due to an error: AccessDenied: Access Denied
Access Denied? Again?
拒绝访问? 再次?
Luckily, based on the event input, I figured out that the 403 could actually be indicating a 404 (not found) error, since my bucket did not really contain a HappyFace.jpg file.
幸运的是,基于事件输入,我发现403可能实际上指示404(未找到)错误,因为我的存储桶中并未真正包含HappyFace.jpg文件。
Hold on, dear reader, while I rush to the S3 console and upload my happy face into my new bucket. Just a minute!
亲爱的读者,请稍等,我急忙前往S3控制台并将开心的脸上传到我的新存储桶中。 等一下!
Okay, ready for the next test round.
好吧,准备下一次测试。
2018-02-04T17:12:53.028Z a2420a1c-09ce-11e8-9506-d10b864e6462 Unable to resize s3-thumb-input/HappyFace.jpg and upload to s3-thumb-inputresized/resized-HappyFace.jpg due to an error: AccessDenied: Access Denied
The exact same error? Again? Come on!
完全一样的错误? 再次? 来吧!
It didn’t make sense to me. Why on Earth would my own Lambda running in my own AWS account not have access to my own S3 bucket?
对我来说这没有意义。 为什么在地球上运行在自己的 AWS账户中的自己的 Lambda无法访问自己的 S3存储桶?
Wait, could this be related to that execution role thing? The part where I blindly assigned S3 read-only permissions?
等等,这与执行角色有关吗? 我盲目分配S3 只读权限的部分?
A bit of Googling led me to the extremely comprehensive . There, I learned that the Lambda executes under its own IAM role. I would have to manually configure the role based on what AWS services I would be using.
有点古怪的操作使我找到了的极其全面的 。 在那里,我了解到Lambda在其自己的IAM角色下执行。 我将不得不根据要使用的AWS服务手动配置角色。
Worse still, in order to configure the role, I have to go all the way to the . Fortunately, this is already linked from the execution role drop-down menu. More importantly, it opens in a new tab.
更糟糕的是,为了配置角色,我必须一直使用 。 幸运的是,这已经从执行角色下拉菜单中链接了。 更重要的是,它将在新选项卡中打开。
Fingers crossed, till the custom role page loads.
双手合十,直到加载自定义角色页面。
Oh no… More JSON editing?
哦,不...更多JSON编辑吗?
In the original guide, AWS devs seemed to have . But it was strange that there was no mention of S3 in there (except in the name). Did they miss something?
在原始指南中,AWS开发人员似乎也已将 。 但是奇怪的是,那里没有提到S3(名字除外)。 他们错过了什么吗?
Okay, for the first time in history, I am going to create my own IAM role!
好的,这是历史上第一次,我将创建自己的IAM角色!
Bless those AWS engineers, a quick Googling revealed their jewel. Just the thing I need.
保佑那些AWS工程师,快速谷歌搜索显示了他们的宝珠。 只是我需要的东西。
But getting rid of the JSON syntax solves only a little part of the problem. How can I know which permissions I need?
但是,摆脱JSON语法只能解决一小部分问题。 我怎么知道我需要哪些权限?
Google, buddy? Anything?
Google,哥们? 有什么事吗
Ohh… Back into the AWS docs? Great…
哦…回到AWS文档中? 大…
Well, it wasn’t that bad, thanks to the .
好吧,这还不错,这要感谢 。
Although it was somewhat overwhelming, I guessed what I needed was some permissions for “object operations”. Luckily, the doc had a nice table suggesting that I needed s3:GetObject and s3:PutObject (consistent with the s3.getObject(...) and s3.putObject(...) calls in the code).
尽管有点让人不知所措,但我猜想我需要的是“对象操作”的一些权限。 幸运的是,该文档有一个漂亮的表,提示我需要s3:GetObject和s3:PutObject (与代码中的s3.getObject(...)和s3.putObject(...)调用一致)。
After some thinking, I ended up with an “IAM Policy” with the above permissions on my bucket (named with the tedious syntax arn:aws:s3:::s3-thumb-input):
经过一番思考,我最终获得了一个“ IAM策略”, arn:aws:s3:::s3-thumb-input我的存储桶具有上述权限(以乏味的语法arn:aws:s3:::s3-thumb-input命名):
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1517766308321", "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-inputresized" }, { "Sid": "Stmt1517766328849", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-input" } ]} I pasted and saved it on the IAM role editor (which automatically took me back to the Lambda console page — how nice!)
我将其粘贴并保存在IAM角色编辑器中(这自动将我带回到Lambda控制台页面-太好了!)
Try again…
再试一次…
Same error?!
同样的错误?
Looking back at the S3 permissions doc, I noticed that the object permissions seem to involve an asterisk (/* suffix, probably indicating the files) under the resource name. So let's try that as well, with a new custom policy:
回顾S3权限文档,我注意到对象权限似乎在资源名称下包含一个星号( /*后缀,可能表示文件)。 因此,我们也尝试使用新的自定义策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1517766308321", "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-inputresized/*" }, { "Sid": "Stmt1517766328849", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-input/*" } ]} Again! (this is starting to sound like ):
再次! (这听起来像 ):
2018-02-04T17:53:45.484Z 57ce3a71-09d4-11e8-a2c5-a30ce229e8b7 Successfully resized s3-thumb-input/HappyFace.jpg and uploaded to s3-thumb-inputresized/resized-HappyFace.jpg
WOO-HOO!!!
呜呜!
Believe it or not, a resized-HappyFace.jpg file had just appeared in my s3-thumb-inputresized bucket! Oh yeah!
信不信由你,一个resized-HappyFace.jpg文件刚刚出现在我的s3-thumb-inputresized存储桶中! 哦耶!
Now, how can I configure my Lambda to automatically run when I drop a file into my bucket?
现在,当我将文件放入存储桶时,如何配置Lambda自动运行?
Thankfully, the Lambda console (with its intuitive “trigger-function-permissions” layout) made it crystal clear that what I wanted was an S3 trigger. So I added one, with “Object Created (All)” as the “Event Type” and “jpg” as the suffix, saved everything, and dropped a JPG file into my bucket right away.
值得庆幸的是,Lambda控制台(具有直观的“触发功能允许”布局)使我清楚地知道我想要的是S3触发器。 因此,我添加了一个,将“创建的对象(全部)”作为“事件类型”,并将“ jpg”作为后缀,保存所有内容,然后立即将JPG文件拖放到我的存储桶中。
Yup, works like a charm.
是的,就像魅力一样。
To see how long the whole process took (in actual execution, as opposed to the “tests”), I clicked the “logs” link on the (previous) execution result pane, and went into the newest “log stream” shown there. Nothing!
为了查看整个过程花费了多长时间(在实际执行中,而不是在“测试”中),我单击了(上一个)执行结果窗格上的“日志”链接,然后进入那里显示的最新“日志流”。 没有!
And more suspiciously, the last log in the newest log stream was an “access denied” log, although I had gotten past that point and even achieved a successful resize.
更令人怀疑的是,尽管我已经超过了这一点,甚至实现了成功的调整大小,但最新日志流中的最后一个日志是“访问被拒绝”日志。
Maybe my latest change broke the logging ability of the Lambda?
也许我最近的更改打破了Lambda的伐木能力?
Thanks to Google and , I found that my execution role needs to contain some logging related permissions as well.
多亏了Google和 ,我发现我的执行角色也需要包含一些与日志记录相关的权限。
Now, I remember there were some permissions in the permission editor text box when I started creating my custom role. Once again I was ignorant enough to paste my S3 policies right over them.
现在,我记得开始创建自定义角色时,权限编辑器文本框中有一些权限。 我再一次无知地将我的S3策略粘贴到它们之上。
Another round of policy editing:
另一轮政策编辑:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1517766308321", "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-inputresized/*" }, { "Sid": "Stmt1517766328849", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-thumb-input/*" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*" } ]} Another file drop, and this time both the resize and the logs worked flawlessly… Finally!
另一个文件丢失了,这次调整大小和日志都完美地工作了……最后!
Now that everything is straightened out, and my thumbnail is waiting in my destination bucket, I fired up my browser, typed http://s3-thumb-inputresized.s3.amazonaws.com/resized-HappyFace.jpg (in accordance with the ). I hit Enter, expecting a nice thumbnail in return.
既然一切都理顺了,我的缩略图在目标存储桶中等待,我启动了浏览器,输入http://s3-thumb-inputresized.s3.amazonaws.com/resized-HappyFace.jpg (根据 )。 我按下Enter键,希望得到一个漂亮的缩略图。
AccessDeniedAccess Denied C8BAC3D4EADFF577 PRnGbZ2olpLi2eJ5cYCy0Wqliqq5j1OHGYvj/ HPmWqnBBWn5EMrfwSIrf2Y1LGfDT/7fgRjl5Io=
Already tired of that “AccessDenied” message!
已经厌倦了“ AccessDenied”消息!
Apparently, although my code generates the file, it does not make the file publicly accessible (but what good would a private thumbnail be, huh?)
显然,尽管我的代码生成了文件,但它并未使文件可公开访问(但是私有缩略图有什么用处,是吗?)
Digging through the AWS docs, I soon discovered the , which allows the S3 uploaded file to be public. Hoping this would solve all problems on the planet, I quickly upgraded my code to set the file's ACL to public-read:
深入研究AWS文档,我很快发现了的 允许S3上传的文件公开。 希望这可以解决地球上的所有问题,我Swift升级了代码,将文件的ACL设置为public-read :
s3.putObject({ Bucket: dstBucket, Key: dstKey, Body: data, ContentType: contentType, ACL: 'public-read' }, next); } Saved the function, and hit Test:
保存函数,然后单击“测试”:
2018-02-04T18:06:40.271Z 12e44f61-19fe-11e8-92e1-3f4fff4227fa Unable to resize s3-thumb-input/HappyFace.jpg and upload to s3-thumb-inputresized/resized-HappyFace.jpg due to an error: AccessDenied: Access Denied
Again?? Are you kidding me?!
再次?? 你在跟我开玩笑吗?!
Fortunately, this time I knew enough to go straight into the , which promptly revealed that I also needed to have the s3:PutObjectAcl permission in my policy, in order to use the ACL parameter in my putObject call.
幸运的是,这次我足够了解 ,该立即显示我还需要在策略中拥有s3:PutObjectAcl权限,才能在我的putObject调用中使用ACL参数。
So another round trip to the policy editor, to the IAM dashboard, and back to the Lambda console.
因此,又一次往返于策略编辑器,IAM仪表板和Lambda控制台。
2018-02-04T18:15:09.670Z 1d8dd7b0-19ff-11e8-afc0-138b93af2c40 Successfully resized s3-thumb-input/HappyFace.jpg and uploaded to s3-thumb-inputresized/resized-HappyFace.jpg
And this time, to my great satisfaction, the browser happily showed me my happy face thumbnail when I fed the hosting URL http://s3-thumb-inputresized.s3.amazonaws.com/resized-HappyFace.jpg into it.
这次,令我非常满意的是,当我将托管URL http://s3-thumb-inputresized.s3.amazonaws.com/resized-HappyFace.jpg输入到浏览器时,浏览器高兴地向我展示了我的笑脸缩略图。
All in all, I’m satisfied that I was finally able to solve the puzzle on my own, by putting all the scattered pieces together.
总而言之,我很满意自己能够通过将所有分散的碎片放在一起来最终解决这个难题。
But I cannot help imagining how cool it would have been if I could build my Lambda in freestyle, with AWS taking care of the roles, permissions and whatnot, on its own, without getting me to run around the block.
但是我不禁想像一下,如果我可以自由样式地构建Lambda,而AWS可以自己处理角色,权限和其他方面的事情 ,而又不用让我绕着块运行,那将会有多酷。
Maybe I should have followed that official guide, right from the start…
也许我应该从一开始就遵循该官方指南…
… but, then again, where’s the fun in that?! :)
……但是,那又有什么乐趣呢? :)
翻译自:
aws lambda
转载地址:http://zcgwd.baihongyu.com/