Lambda 每次调用时都会创建 ENI:达到限制
Lambda creating ENI everytime it is invoked: Hitting limit
我的 Lambda 访问我的 VPC 上的资源,因此按照文档中的说明,我已赋予 Lambda 创建网络接口的角色。我假设 ENI 被重用,但看起来每次调用都在创建一个新的 ENI,导致抛出错误
Lambda was not able to create an ENI in the VPC of the Lambda function because the limit for Network Interfaces has been reached.
我搜索了 google 但找不到解决此问题的最佳方法。除了定期手动删除这些网卡还有什么更好的办法吗?
正如 Mark 所建议的,问题是我的 AWS Lambda 没有在 lambda 设置的角色(策略)中指定的 DeleteNetworkInterface 操作。通过提供适当的策略,Lambda 现在会在完成后分离并删除 ENI。
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute",
"autoscaling:CompleteLifecycleAction"
]
}
AWS 的官方线路(通过 their docs 和支持票)是使用 AWS 管理的策略 AWSLambdaVPCAccessExecutionRole。
私人支持票摘录:
The role you are using in your Lambda function has an attached policy "AWSLambdaVPCAccessExecutionRole", which is an AWS managed policy for VPC-enabled Lambda functions. This policy contains all needed permissions and may be updated in future if new permissions are needed due to updates to the service.
还值得注意的是,有时需要几个小时才能回收分离的 ENI。
我的 Lambda 访问我的 VPC 上的资源,因此按照文档中的说明,我已赋予 Lambda 创建网络接口的角色。我假设 ENI 被重用,但看起来每次调用都在创建一个新的 ENI,导致抛出错误
Lambda was not able to create an ENI in the VPC of the Lambda function because the limit for Network Interfaces has been reached.
我搜索了 google 但找不到解决此问题的最佳方法。除了定期手动删除这些网卡还有什么更好的办法吗?
正如 Mark 所建议的,问题是我的 AWS Lambda 没有在 lambda 设置的角色(策略)中指定的 DeleteNetworkInterface 操作。通过提供适当的策略,Lambda 现在会在完成后分离并删除 ENI。
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute",
"autoscaling:CompleteLifecycleAction"
]
}
AWS 的官方线路(通过 their docs 和支持票)是使用 AWS 管理的策略 AWSLambdaVPCAccessExecutionRole。
私人支持票摘录:
The role you are using in your Lambda function has an attached policy "AWSLambdaVPCAccessExecutionRole", which is an AWS managed policy for VPC-enabled Lambda functions. This policy contains all needed permissions and may be updated in future if new permissions are needed due to updates to the service.
还值得注意的是,有时需要几个小时才能回收分离的 ENI。