【发布时间】:2020-12-08 08:47:10
【问题描述】:
这个问题与this有关:
设置:
账户 A(包含 SQS 队列)
账户B(包含将由账户A中的SQS队列触发的lambda函数)
这是账户 B 中的 lambda 资源策略
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
},
"Action": "lambda:*",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": ACCOUNT A
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
}
}
}
]
}
这是账户 A 中的 SQS 权限策略
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "Permission to LambdaRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
}
]
}
当账户 A 中的用户尝试从 SQS 添加 lambda 触发器时,出现以下 AccessDenied 错误:
Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
我还尝试从 lambda 函数添加触发器(仅用于测试,因为这不是我想要的),但出现以下错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
我的 Lambda 角色拥有“AmazonSQSFullAccess”权限。所以我真的不知道这里发生了什么。
有人可以帮忙吗?
更新
我在 SQS 权限策略中发现了一个错误,并解决了第二个错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
但是,如前所述,我需要帐户 A 中的用户从 SQS 队列添加一个 lambda 触发器(这是我在上面发布的第一个错误),而不是相反。这可能吗?
【问题讨论】:
-
将完全访问策略附加到您正在使用的 Iam 角色
-
您能解释一下“完全访问策略”是什么意思吗?我已经拥有对我的 lambda 角色的 AmazonSQSFullAccess
-
“errorType”:“AccessDeniedException”,“errorMessage”:“用户:arn:aws:sts::522394378604:assumed-role/chequebooks-qr-dev-eu-central-1-lambdaRole/ chequebooks-qr-dev-QrCodeGenerator 无权执行:lambda:CreateEventSourceMapping on resource: *",
-
我遇到了错误,任何人都可以帮助我应用 sqs 和 lambda 完全访问策略
标签: amazon-web-services aws-lambda amazon-sqs