访问资源 https://sqs.us-east-1.amazonaws.com/ 被拒绝

【问题标题】:Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied访问资源 https://sqs.us-east-1.amazonaws.com/ 被拒绝
【发布时间】:2019-12-20 13:30:43
【问题描述】:

这个错误有很多引用,但是,

下面是为 lambda(AWS::Serverless::Function) 创建的执行角色:

{
  "permissionsBoundary": {
    "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
    "permissionsBoundaryType": "Policy"
  },
  "roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole",
      "id": "ANDDDDDC42545SKXIK",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

some-permission-boundary 在哪里

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow",
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

lambda 执行以下操作:

async function sendToQueue(message) {
  const params = {
    MessageBody: JSON.stringify(message),
    QueueUrl: process.env.queueUrl
  };
  return new Promise((resolve, reject) =>
    sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
  );
}

给出错误:

"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "errorType": "AccessDenied",

我们为 some-permission-boundary 中帐户的任何队列提供了 sqs:* 操作

为什么 lambda 无法将消息发送到队列?

【问题讨论】:

    标签: amazon-web-services aws-lambda amazon-iam amazon-sqs


    【解决方案1】:

    权限边界是一项高级功能,用于使用托管策略设置基于身份的策略可以授予 IAM 实体的最大权限

    实体的权限边界允许它仅执行其基于身份的策略及其权限边界允许的操作

    来源:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

    您确实在您的权限边界中包含了 sqs:*,但您没有在您的 lambda 执行角色的策略中包含任何与 sqs 相关的操作。

    您应该将具有 sqs 权限的策略附加到您的 lambda 执行角色:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

    【讨论】:

    • 你的意思是,基于身份的策略权限边界中的规则intersection是实际规则,如答案中所述?
    • 是的。例如,在您的策略声明中,您可以将“资源”指定为 ,然后将“资源”指定为“arn:aws:sqs:us-east-1::*”你的边界声明。这样,您的实际权限实际上是“arn:aws:sqs:us-east-1:*:*”,它是“arn:aws:sqs:us-east-1:*:*”和“*”
    • 任何带有 lambda thar 添加策略的示例 SAM 模板参考?
    【解决方案2】:

    我有同样的问题,但无服务器固件。在控制台中抛出这个错误:

    `API: sqs:CreateQueue Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.`

    我在无服务器代理的自定义角色中添加权限。我使用此代理的许可(希望有人可以帮助您)

    {
   "Version": "2012-10-17",
   "Statement": [
    {
        "Action": [
            "apigateway:*",
            "cloudformation:CancelUpdateStack",
            "cloudformation:ContinueUpdateRollback",
            "cloudformation:CreateChangeSet",
            "cloudformation:CreateStack",
            "cloudformation:CreateUploadBucket",
            "cloudformation:DeleteStack",
            "cloudformation:Describe*",
            "cloudformation:EstimateTemplateCost",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:Get*",
            "cloudformation:List*",
            "cloudformation:UpdateStack",
            "cloudformation:UpdateTerminationProtection",
            "cloudformation:ValidateTemplate",
            "dynamodb:CreateTable",
            "dynamodb:DeleteTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:UpdateTimeToLive",
            "ec2:AttachInternetGateway",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateInternetGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVpc",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteSubnet",
            "ec2:DeleteVpc",
            "ec2:Describe*",
            "ec2:DetachInternetGateway",
            "ec2:ModifyVpcAttribute",
            "events:DeleteRule",
            "events:DescribeRule",
            "events:ListRuleNamesByTarget",
            "events:ListRules",
            "events:ListTargetsByRule",
            "events:PutRule",
            "events:PutTargets",
            "events:RemoveTargets",
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iot:CreateTopicRule",
            "iot:DeleteTopicRule",
            "iot:DisableTopicRule",
            "iot:EnableTopicRule",
            "iot:ReplaceTopicRule",
            "kinesis:CreateStream",
            "kinesis:DeleteStream",
            "kinesis:DescribeStream",
            "lambda:*",
            "logs:CreateLogGroup",
            "logs:DeleteLogGroup",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:FilterLogEvents",
            "logs:GetLogEvents",
            "logs:PutLogEvents",
            "logs:PutSubscriptionFilter",
            "logs:CreateLogStream",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:DeleteBucketPolicy",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:PutBucketNotification",
            "s3:PutBucketPolicy",
            "s3:PutBucketTagging",
            "s3:PutBucketWebsite",
            "s3:PutEncryptionConfiguration",
            "s3:PutObject",
            "sns:CreateTopic",
            "sns:DeleteTopic",
            "sns:GetSubscriptionAttributes",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTopics",
            "sns:SetSubscriptionAttributes",
            "sns:SetTopicAttributes",
            "sns:Subscribe",
            "sns:Unsubscribe",
            "sqs:CreateQueue",
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes",
            "states:CreateStateMachine",
            "states:DeleteStateMachine"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }
]}

    Serverless FW docs 推荐此权限(无 sqs*

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-11-16
      • 1970-01-01
      • 1970-01-01
      • 2017-06-18
      • 1970-01-01
      • 1970-01-01
      • 2017-10-07
      • 2017-08-23
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode