- 最新
- 最多得票
- 最多評論
Hi,
When SnapStart is activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. Without SnapStart enabled it will use the environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN).
I suspect your code is setting the EnvironmentVariableCredentialsProvider credentials provider explicitly like:
Region region = Region.US_WEST_2;
DynamoDbClient ddb = DynamoDbClient.builder()
.region(region)
.credentialsProvider(EnvironmentVariableCredentialsProvider.create())
.build();
If you remove .credentialsProvider(EnvironmentVariableCredentialsProvider.create()) from the builder, the SDK will find the container credentials correctly when SnapStart is enabled.
More details can be found at: https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html#credentials-default
+1 to what Steve has answered
Please be noted that to make AWS SDK calls from your function, Lambda generates an ephemeral set of credentials by assuming your functions execution role. These credentials are available as environment variables during your function’s invocation but when SnapStart in activated, the Java runtime automatically uses the container credentials (AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN) instead of the access key environment variables. This prevents credentials from expiring before the function is restored [1].
Therefore, it is not advisable to rely on only the environment variable credentials provider in the SDK clients when SnapStart is activated.
[+] https://docs.aws.amazon.com/lambda/latest/dg/snapstart-activate.html#snapstart-credentials
相關內容
- 已提問 7 個月前
AWS 官方已更新 1 年前