En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Unable to load credentials from system settings. Lambda with snapStartp Enabled

0

Good morning, I have a problem with a lambda function that, when I enable snapStart, doesn't read the AWS configuration variables. The error message is: 'Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).' However, it works fine with snapStart set to 'none'.

Sujets
Sans serveurCalcul
Balises
AWS LambdaAWS Lambda Snapstart
Langue
English
vijarte
demandé il y a 6 mois556 vues
2 réponses
1
Réponse acceptée

Hi,

When SnapStart is activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. Without SnapStart enabled it will use the environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN).

I suspect your code is setting the EnvironmentVariableCredentialsProvider credentials provider explicitly like:

Region region = Region.US_WEST_2;
DynamoDbClient ddb = DynamoDbClient.builder()
      .region(region)
      .credentialsProvider(EnvironmentVariableCredentialsProvider.create())
      .build();

If you remove .credentialsProvider(EnvironmentVariableCredentialsProvider.create()) from the builder, the SDK will find the container credentials correctly when SnapStart is enabled.

More details can be found at: https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html#credentials-default

AWS
Steve
répondu il y a 6 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 2 mois
1

+1 to what Steve has answered

Please be noted that to make AWS SDK calls from your function, Lambda generates an ephemeral set of credentials by assuming your functions execution role. These credentials are available as environment variables during your function’s invocation but when SnapStart in activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. This prevents credentials from expiring before the function is restored [1].

Therefore, it is not advisable to rely on only the environment variable credentials provider in the SDK clients when SnapStart is activated.

[+] https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials

AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
rePost-User-2673297
répondu il y a 6 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 2 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents