1. 首页
  2. 问答
  3. CloudFormation StackSet S3错误:区域'us-east-1'错误;期待'ap-southeast-1'

CloudFormation StackSet S3错误:区域'us-east-1'错误;期待'ap-southeast-1'

2017-10-14 651 views
0

我正在尝试将使用CloudFormation StackSets的lambda函数部署到多个AWS账户和区域。但因为以下错误而失败CloudFormation StackSet S3错误:区域'us-east-1'错误;期待'ap-southeast-1'

ResourceLogicalId:OfficeHoursAutoScalingStart, ResourceType:AWS::Lambda::Function, ResourceStatusReason:Error occurred while GetObject. S3 Error Code: AuthorizationHeaderMalformed. S3 Error Message: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'ap-southeast-1'

它看起来像是一个权限的东西?我该如何解决这个问题?

我的模板:

AWSTemplateFormatVersion : '2010-09-09' 
Description: 'Skynet. AWS Management Assistant' 
Parameters: 
    AppName: 
    Type: String 
    Description: Prefix for resources 
    Default: skynet-lambda-stackset 
    ArtifactsBucket: 
    Type: String 
    Description: S3 bucket storing lambda function zip 
    ArtifactZipPath: 
    Type: String 
    Description: Path to lambda function zip 
    CostCenter: 
    Type: String 
    Description: Cost center 
    Default: Admin 
    Owner: 
    Type: String 
    Description: Owner 
    Default: Jiew Meng 

Resources: 
    LambdaRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${AppName}-lambda' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
     - Effect: Allow 
      Principal: 
      Service: 
       - lambda.amazonaws.com 
       - apigateway.amazonaws.com 
      Action: 
      - sts:AssumeRole 
     ManagedPolicyArns: 
     - 'arn:aws:iam::aws:policy/AmazonEC2FullAccess' 
     - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess' 
     - 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess' 
     - 'arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess' 
     - 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess' 

    NewEc2AutoTag: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: ec2/newEc2_autoTag.handler 
     Runtime: nodejs6.10 
     FunctionName: 'NewEC2_AutoTag' 
     Description: 'Auto tag new EC2 instances with Owner tag' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    NewEc2Event: 
    Type: AWS::Events::Rule 
    Properties: 
     Name: !Sub ${AppName}-newEc2 
     Description: On new EC2 instance created 
     EventPattern: 
     source: 
      - 'aws.ec2' 
     detail-type: 
      - 'AWS API Call via CloudTrail' 
     detail: 
      eventName: 
      - RunInstances 
     Targets: 
     - !Ref NewEc2AutoTag 

    AfterhoursEc2Shutdown: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: ec2/afterHours_shutdown.handler 
     Runtime: nodejs6.10 
     FunctionName: 'Afterhours_Shutdown' 
     Description: 'Shutdown instances tagged Auto Shutdown: true' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    AfterHoursEvent: 
    Type: AWS::Events::Rule 
    Properties: 
     Name: !Sub ${AppName}-afterHours 
     Description: Triggered on weekdays 2400 SGT 
     ScheduleExpression: cron(0 16 ? * MON,TUE,WED,THUR,FRI *) 
     Targets: 
     - !Ref AfterhoursEc2Shutdown 
     - !Ref AfterhoursAutoScalingShutdown 

    OfficeHoursEc2Start: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: ec2/officeHours_start.handler 
     Runtime: nodejs6.10 
     FunctionName: 'OfficeHours_Start' 
     Description: 'Starts instances with Auto Shutdown: true' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    OfficeHoursEvent: 
    Type: AWS::Events::Rule 
    Properties: 
     Name: !Sub ${AppName}-officeHours 
     Description: Triggered on 7AM SGT weekdays 
     ScheduleExpression: cron(0 23 ? * SUN,MON,TUE,WED,THU *) 
     Targets: 
     - !Ref OfficeHoursEc2Start 
     - !Ref OfficeHoursAutoScalingStart 

    StartedEc2ConfigureDns: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: ec2/started_configureDns.handler 
     Runtime: nodejs6.10 
     FunctionName: 'StartedEc2_ConfigureDns' 
     Description: 'When EC2 started, configure DNS if required' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    Ec2StartedEvent: 
    Type: AWS::Events::Rule 
    Properties: 
     Name: !Sub ${AppName}-ec2-started 
     Description: Triggered on EC2 starts 
     EventPattern: 
     source: 
      - 'aws.ec2' 
     detail-type: 
      - 'EC2 Instance State-change Notification' 
     detail: 
      state: 
      - running 
     Targets: 
     - !Ref StartedEc2ConfigureDns 

    AfterhoursAutoScalingShutdown: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: autoscaling/afterHours_shutdown.handler 
     Runtime: nodejs6.10 
     FunctionName: 'Afterhours_AutoScalingShutdown' 
     Description: 'Scales down autoscaling groups tagged Auto Shutdown: true' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    OfficeHoursAutoScalingStart: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: autoscaling/officeHours_start.handler 
     Runtime: nodejs6.10 
     FunctionName: 'OfficeHours_AutoScalingStart' 
     Description: 'Scales up auto scaling groups that are scaled down to 0 and tagged autostart: true' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner 

    NewAutoScalingGroupEvent: 
    Type: AWS::Events::Rule 
    Properties: 
     Name: !Sub ${AppName}-autoscaling-new 
     Description: Triggered when new autoscaling group created 
     EventPattern: 
     source: 
      - 'aws.autoscaling' 
     detail-type: 
      - 'AWS API Call via CloudTrail' 
     detail: 
      eventName: 
      - CreateAutoScalingGroup 
     Targets: 
     - !Ref NewAutoScalingGroupAutoTag 

    NewAutoScalingGroupAutoTag: 
    Type: AWS::Lambda::Function 
    Properties: 
     Code: 
     S3Bucket: !Ref ArtifactsBucket 
     S3Key: !Ref ArtifactZipPath 
     Handler: autoscaling/new_autoTag.handler 
     Runtime: nodejs6.10 
     FunctionName: 'NewAutoScalingGroup_AutoTag' 
     Description: 'Tags new autoscaling groups with owner and autoshutdown tags if not existing' 
     Timeout: 30 
     Role: !GetAtt LambdaRole.Arn 
     Tags: 
     - Key: Cost Center 
      Value: !Ref CostCenter 
     - Key: Owner 
      Value: !Ref Owner

来源

2017-10-14 Jiew Meng

回答

2

看起来你已经创建了AWS区域ap-southeast-1的S3存储桶(可变ArtifactsBucket在模板中引用)。

使用AWS Stacksets,你已经在部署顺序选择us-east-1的地区之一。

AWS Stackset将SAME参数传递给它尝试在多个区域/帐户中创建的所有堆栈。

因此,当它试图在us-east-1区域中创建lambda函数OfficeHoursAutoScalingStart时,它试图在us-east-1区域本身使用相同的存储区名称访问s3存储区(GETObject请求)。

即。假设带有名称的s3桶通过了ArtifactsBucket参数,它存在于us-east-1本身中。但由于lambda函数的源代码实际上存在于区域ap-southeast-1中的桶中,因此将引发header malformed error。在这种情况下,存储桶名称是匹配的,但该区域不是。

当前,当您使用CloudFormation创建lambda函数时,存在一个限制,即包含您的Lambda函数源代码的S3存储桶必须与您创建的STACK位于同一个区域中。 Doc Reference Link

如果是这样的问题,那么作为一个解决方法,你能想到在需要的地区建立S3桶(加上区域名称作为前缀桶名称),并基于该区域在模板中使用它们。

Example: 
us-east-1-lambdabkt 
us-east-2-lambdabkt 
ap-southeast-1-lambdabkt

来源

2017-10-14 21:03:47

+0

我已经解决了您的建议的错误。但现在我遇到另一个权限错误:https://stackoverflow.com/questions/46751355/aws-cloudformation-stackset-s3-accessdenied也许你可以帮助太:) –

相关问题

 相关问题